Since DNS resolution is correct, there are three industrially ready options:
1. Provider DPI: probably all providers already have it in one form or another.
Logically, DPI is usually included in the link break between the kernel and NAT.
Physically, too.
In addition to the usual shaping and per-subscriber traffic counting, a set of ALGs (Application Layer Gateway) is implemented there, which are, in fact, transparent proxies for typical protocols: HTTP, FTP, DNS, etc.
As a rule, ALGs can not only respond to certain field values, but also interfere with the data transfer process.
The number of ALGs depends on the trickiness of the DPI; Procera even has World of Warcraft)
Well, HTTP page spoofing is perhaps the most used feature of the HTTP ALG.
2. A knee-deep solution:
Described by none7 Start
a server on your network with ip-addresses that match the IP-addresses of Vkontakte (well, or NAT'it all requests to it on a stub server, which is about the same) - quite a solution for yourself if you need to block the service as a whole, and not individual pages on it.
But if all of a sudden your politicians get stupid from ours, and the list of blocked resources starts to grow, providers will howl to support this
option
) thousand URLs.
It turned out that with such a number of entries, many provider DPIs are simply crushed, so this task is often solved as follows: separate servers are set up that connect directly to the provider's BR (Border routers).
Server tasks:
- swallow the list of blocked resources, tear out domain names from there and split them into ip-addresses; several tens of thousands
of addresses are obtained - the received addresses through OSPF or BGP are merged into BR. BR - it's big, it calmly holds BGP Full View, so 10-20-50k extra prefixes for it is a drop in the bucket
. It turns out that all traffic towards ip-addresses that contain at least one blocked page now flows to these servers .
It would seem, what server will digest all this, but dozens of them can be produced: ECMP / Load Balancing works at the routing level, and traffic is spread between servers approximately equally.
On the Linux servers themselves, and on Linux - squid in transparent mode and iptables )
Accordingly:
- tcp port 80 is sent to squid by iptables, where each URL requested by the subscriber is searched in the list of blocked resources
- SNI is checked in tcp port 443 to understand whether to let traffic through further, or cut to such and such a mother
- all other traffic (and pings, yeah) is passed through without change

If it erased the DNS record, then you would not receive anything at all, except for a message from the browser about the network not working. Your ISP has configured NAT to block addresses and all traffic going to ip vk is processed by the provider's server, including ping. A delay of 1 millisecond shows this perfectly, since this happens only within the city, and vk does not have a CDN.

most likely checks packets on gateways

see about iptables , with the amendment that on Provo equipment this is done by specially sharpened iron

Dns answer is correct, I have the same ips on vk.com. Most likely blocked by ip. By the way, what happens if you go to https://vk.com?

Most likely cut ports 80/443. You haven't had time to implement full dpi yet. This can be verified by running traceroute with an explicit port specification. Although if the provider is large, most likely it is still dns. Put explicitly on the PC Google.

tracert look, most likely whois for the last hops will show that they belong to your provider.
Well, show us, I would be interested to look.
PS: from the provider's point of view, this is a big stink, because on the stub they can collect your cookies and some other private data.