I. Introduction

Recently, Taiwan’s Ministry of the Interior (MOI) issued an order to suspend Domain Name System (DNS) resolution of or otherwise restrict access to the Chinese social media app RedNote (Xiaohongshu) for a period of 1 year.[1] Shortly after the order was issued, many people (users) reported they were unable to connect to RedNote, triggering extensive controversy and discussion. In the past, there have also been news reports of similar events in Taiwan, such as the seizure of the MapleStage website and the suspension of DNS resolution of the Creative Private Room forum, where some websites displayed a connection failure message or redirected users to a page indicating “This Domain Name Has Been Blocked.” News reports frequently describe websites as “seized,” “blocked,” or subject to “access restriction” or “DNS resolution suspension.” What technologies do these terms refer to? Are these measures administrative dispositions rendered by the government, or private, discretionary acts undertaken by internet service providers on a self-regulatory basis? Does the execution of the relevant measures have a clear legal basis, and what procedural safeguards should be followed?
In recent years, several laws—including the Fraud Crime Hazard Prevention Act, the Tobacco Hazards Prevention Act, the Narcotics Hazard Prevention Act, and the Child and Youth Sexual Exploitation Prevention Act—have been amended to explicitly incorporate measures such as DNS resolution suspension and access restriction into their regulatory frameworks. Meanwhile, the Ministry of Digital Affairs (MODA) in 2025 issued the Reference Procedures for Handling Illegal Websites Through the Utilization of the DNS RPZ Self-Regulatory Framework to Suspend DNS Resolution (the “MODA DNS RPZ Guidelines”),[2] and published relevant legal bases for the utilization of this DNS RPZ mechanism and identified the competent authorities authorized to employ it. These developments indicate that Taiwan has been gradually building a systematic operational framework in the field of digital governance.
Against this background, this article focuses on introducing Taiwan’s current DNS resolution suspension mechanism and the development in its related regulatory practices, while also offering observations and perspectives on the future direction of the system.

II. Network Governance of the Taiwan Network Information Center (TWNIC): The DNS RPZ Mechanism

1. Domain Names and the Mechanism of DNS Resolution

The domain names we enter in everyday use (such as “winklerpartners.com”) consist of a string of letters, numbers, periods (.), and a domain suffix. Typically, domain names can be quickly and easily remembered, serving a function similar to that of street addresses. However, before a connection can be successfully established and a webpage displayed, the domain name must first be processed through DNS resolution, which converts the domain name into a corresponding IP address that computers can identify (such as “111.22.333.44”).
“Restricting access” refers to the use of specific technologies to restrict users from accessing certain domain names, and “suspending DNS resolution” is one of the technologies commonly used to restrict access. At present, an important method for suspending DNS resolution is the use of a DNS filtering mechanism called DNS Response Policy Zone (DNS RPZ). When a specific domain is included in an RPZ blacklist, a DNS server may, according to its configuration, refuse to provide the resolution result of the IP address corresponding to the domain, redirect the request to a specific webpage (for example, a notice page from law enforcement authorities), or even respond that the domain does not exist (“Non-existent domain”). Under such circumstances, users are unable to connect to the website, thereby achieving the result of “suspending DNS resolution.”

2. Domain Name Management and the Building of the DNS RPZ Mechanism in Taiwan

The registration and management of Taiwan’s national domain names, “.tw” and “.台灣” (literally “.Taiwan”), are administered by TWNIC. TWNIC is a non-profit organization responsible for domain name registration and management and the allocation of IP address resources in Taiwan. It serves as both the operator and coordinator of Taiwan’s critical internet infrastructure. In response to the growing prevalence of cybercrimes, TWNIC has cooperated with domestic internet access service providers (IASPs) that participate on a voluntary basis in jointly building the DNS RPZ self-regulatory framework. By the design of this mechanism, DNS resolution suspension measures for specific malicious or illegal domains may be initiated and taken only on the basis of a court decision (judgment or ruling) or a disposition lawfully rendered by the competent authority. [3] Under this framework, TWNIC is only responsible for technical execution and has no substantive discretionary authority.

Furthermore, in 2025, MODA—the competent authority having jurisdiction over TWNIC—issued the latest version of the MODA DNS RPZ Guidelines, and also compiled the legal bases for the utilization of the DNS RPZ mechanism and identified the authorities authorized to employ it, thereby making the operational procedures for suspending DNS resolution more systematic and transparent. Meanwhile, TWNIC also discloses information on the DNS RPZ execution status in its transparency reports, enabling the public to monitor how network governance measures are implemented in response to the increasing challenges posed by unlawful online activities.
However, DNS resolution suspension and access restriction measures may affect the people’s freedom of access to information and freedom of expression and may also implicate website operators’ freedom to conduct business and the protection of their property rights. Therefore, these measures should have a legal basis and be subject to the requirement of due process. If IASPs are required to execute access restriction measures without clear legal authorization and procedural safeguards in place, this may violate the principle of legal reservation and has become a central and unavoidable issue in the current operation of the system.

III. TWNIC’s DNS RPZ Mechanism for Suspending DNS Resolution of Illegal Websites and the Development of the Relevant Regulatory Framework

Looking at the development of the DNS resolution suspension system, TWNIC issued RPZ 1.0 in 2020, establishing that such suspensions may only be initiated on the basis of a court decision or administrative order. However, at that time, the system had not yet established clear appeal and remedy procedures, so parties subject to DNS resolution suspension dispositions lacked effective channels for seeking remedies, thereby giving rise to concerns about insufficient procedural safeguards. The subsequent RPZ 1.5 primarily addressed emergency cases related to crime prevention. Under this version, the suspension of DNS resolution could be requested by a criminal investigation authority or a designated administrative authority, without the need for a court decision. RPZ 1.5 initially applied only to websites posing cybersecurity risks, but its scope was gradually expanded to include blocking fraudulent and gambling websites, facilitating emergency law enforcement during election periods, and combating disinformation during elections. As the scope of application broadened and reports emerged of domains being mistakenly blocked, concerns arose regarding the legitimacy of these DNS resolution suspension procedures and their compliance with the principle of proportionality. The question of whether such procedures should require prior or subsequent review by an independent authority, or whether a more comprehensive legal-procedural framework should be established, has also sparked discussions among stakeholders.[4]

The 2025 MODA DNS RPZ Guidelines expressly provide that the suspension of DNS resolution may only be initiated on the basis of a court decision or an administrative disposition lawfully rendered by an administrative agency. Otherwise, IASPs may not be required to execute the suspension. Furthermore, parties who disagree with such dispositions may seek remedies by filing an administrative appeal or initiating litigation before the court or competent authority to challenge the court decision or administrative disposition underlying the suspension. [5]

According to the MODA guidelines, DNS resolution suspension dispositions fall into two categories:

• Category 1: Applicable laws and regulations authorize the relevant authorities to order IASPs to suspend DNS resolution. In this category, IASPs are parties against whom dispositions are rendered under the relevant provisions.

For example, Article 42 of the Fraud Crime Hazard Prevention Act provides:

To deal with fraud crime prevention emergencies and promptly prevent the public from accessing fraudulent websites, the competent authorities in charge of the relevant industries or judicial police authorities may order internet access service providers to suspend DNS resolution or restrict access[6] when the authorities believe there is a need for immediate disposition.

Accordingly, the competent authority or judicial police authority may directly render a disposition against IASPs, ordering them to suspend DNS resolution of fraudulent websites. It should be noted that, because IASPs are parties against whom the dispositions are rendered under the applicable law or regulation, even those that have not joined the DNS RPZ mechanism are still required to execute the suspension in accordance with the law.

• Category 2: IASPs assist in the execution of dispositions rendered by competent authorities.

In this category, as a general principle, before rendering a disposition, the competent authority must first notify an internet content provider (ICP) (e.g., Netflix), internet platform provider (IPP) (e.g., Facebook), or application service provider (ASP) (e.g., App Store) to restrict access or remove illegal content, in accordance with applicable laws and regulations. Only if the internet service provider fails to take the required action may the competent authority, pursuant to applicable laws and regulations, render an administrative disposition to take DNS resolution suspension or access restriction measures. Under Category 2 dispositions, IASPs are not parties against whom the dispositions are rendered under the relevant laws or regulations. Instead, the authorities rendering the dispositions rely on the administrative immediate coercion provided in Article 36 of the Administrative Execution Act[7] and request IASPs to assist and cooperate in executing the dispositions.

An example can be found in Article 8-1, paragraphs 6 and 7 of the Child and Youth Sexual Exploitation Prevention Act, which provide:
In any of the following circumstances, the competent authority may execute access restriction:

1. Where it is unable to ascertain the contact information of the internet service provider and, therefore, cannot effect the service referred to in paragraph 1.

2. Where it believes that the crime involved by the webpage information should be considered material and there should be a need for immediate disposition to prevent crimes, expansion of hazards or to avoid imminent danger.

3. Where the internet service provider is suspected of being involved in any of the offenses prescribed in Chapter IV for changing its domain name or using any other methods after being subject to access restriction.

In order to help the competent authority execute the access restriction under the preceding paragraph and Article 47 hereof, the competent authority for the administration of digital development affairs, competent authority for the administration of education-related affairs, competent authority for the regulation of telecommunications and broadcasting services, competent authority for the administration of legal affairs, competent authority for the administration of police administrative affairs, and internet access service providers shall provide assistance in the execution pursuant to laws.

It can be seen that, under the above provisions, the IASPs are not parties against whom the access restriction disposition is rendered but are parties required to assist the competent authority in executing it.

Similarly, Article 7 of the Enforcement Rules of the Child and Youth Sexual Exploitation Prevention Act[8] and Article 9 of the Enforcement Rules for the Sexual Assault Crime Prevention Act[9] also provide that, when the competent authority believes there is a need for immediate disposition, it may execute administrative immediate coercion in accordance with the Administrative Execution Act.

There is a further scenario within Category 2 dispositions in which the laws applicable to the competent authorities do not yet expressly authorize them to execute DNS resolution suspension or access restriction. Prior to the enactment or amendment of relevant laws, however, the competent authorities may, in order to prevent crimes or hazards or to avoid imminent danger, obtain approval from the Executive Yuan and rely on Article 36 of the Administrative Execution Act to utilize the DNS RPZ mechanism to address certain types of internet-based illegal activities.[10] For example, the Executive Yuan has approved the inclusion of the authorities that render dispositions under the Tobacco Hazards Prevention Act and the Narcotics Hazard Prevention Act within the scope of the DNS RPZ procedures. As a result, even though these two laws do not explicitly provide a legal basis for DNS resolution suspension or access restriction, at present the DNS RPZ mechanism may still be utilized to suspend DNS resolution of domains that violate these laws.

However, to avoid controversy arising from long-term reliance solely on Article 36 of the Administrative Execution Act as the basis, and to ensure that relevant entities have a clear legal basis for executing DNS resolution suspension or access restriction, the MODA guidelines specify that, for cases approved by the Executive Yuan for the application of the DNS RPZ mechanism, if relevant laws are not enacted or amended within 2 years, the DNS RPZ mechanism shall cease to be used for the cases for which it was approved.
It can be seen from the above that the operation of the DNS RPZ mechanism cannot be carried out by a single entity alone. Rather, it involves the division of authority and procedural coordination among multiple administrative authorities, while also relying on the cooperation and technical execution of internet service providers. Only through such coordinated efforts can the system be effectively implemented and function smoothly.

IV. Conclusion

With the amendment of relevant laws and regulations and the issuance of the MODA guidelines, Taiwan has gradually established a clearer legal basis and procedural framework for the suspension of DNS resolution of illegal websites. These developments provide a certain degree of protection for the rights of the people and the interests of internet service providers, while also enabling administrative authorities to execute such dispositions in accordance with the law.
However, suspending DNS resolution only blocks users’ access to content unilaterally and cannot completely remove illegal content. For illegal websites hosted overseas that frequently change domains to circumvent DNS resolution suspension dispositions, more comprehensive execution procedures remain necessary. Given the borderless nature of the internet, a future direction worth noting in Taiwan’s efforts to combat cybercrime is how competent authorities, law enforcement agencies, and internet governance bodies such as TWNIC can collaborate with public and private entities abroad to effectively combat overseas illegal websites and achieve complete removal of the content, rather than merely suspending DNS resolution unilaterally.

 
This article is written by Gary Kuo, Yi-Kai Chen, and Ting-Yu Chang.
 

If you would like to learn more about laws and regulations and other matters related to this article, please feel free to contact us at gkuo@winklerpartners.com and ychen@winklerpartners.com.

[1] National Police Agency (2025/12/04), Ministry of the Interior Issues Temporary Measures on Fraud-Involving, High-Risk Apps to Safeguard Public Information Security https://www.moi.gov.tw/News_Content.aspx?n=4&s=334958

[2] Ministry of Digital Affairs, Reference Procedures for Handling Illegal Websites Through the Utilization of the DNS RPZ Self-Regulatory Framework to Suspend DNS Resolutionhttps://moda.gov.tw/information-service/govinfo/administrative-directions/ad-resource-management/16778

[3] TTWNIC, DNS RPZ Governancehttps://rpz.twnic.tw/#/governance

[4] Kenny Huang (2020/09/23), DNS RPZ Summary.

[5] DNS RPZ: A Self-Regulatory Framework by TWNIChttps://rpz.twnic.tw/#/mechanism#main

[6] Access restriction: Refers to the practice whereby internet access service providers (IASPs) use DNS resolution suspension or other technological means to restrict users from accessing malicious or inappropriate domain names or websites.

[7] Article 36 of Chapter 4 (Administrative Immediate Coercion) of the Administrative Execution Act provides:

In the interest of preventing crimes, hazards, or avoiding imminent danger, if there is a need for immediate disposition, administrative immediate coercion may be executed by an administrative authority.

Administrative immediate coercion shall proceed as follows:
1. Physically restraining the person.
2. The retaining, use, disposing of, or limiting the use of objects.
3. Entering residences, buildings, or other places.
4. Other necessary disposition authorized by law.

[8] Article 7 (added in 2023) of the Enforcement Rules of the Child and Youth Sexual Exploitation Prevention Act provides:

If the competent authority in charge of the relevant industry is unable to ascertain the contact information of the internet service provider and, therefore, cannot effect the service as provided in the preceding article, but there is a need for immediate disposition to prevent crimes, hazards, or to avoid imminent danger, administrative immediate coercion may be executed in accordance with the Administrative Execution Act.

[9] Article 9 of the Enforcement Rules for the Sexual Assault Crime Prevention Act provides:

If the competent authority in charge of the relevant industry is unable to ascertain the contact information of the internet service provider and, therefore, cannot effect the service as provided in the preceding article, but there is a need for immediate disposition to prevent crimes, hazards, or to avoid imminent danger, administrative immediate coercion may be executed in accordance with the Administrative Execution Act.

[10] See Points 7 and 12 of the Reference Procedures for Handling Illegal Websites Through the Utilization of the DNS RPZ Self-Regulatory Framework to Suspend DNS Resolution.