CleanBrowsing is a DNS-based resolver. This means it needs fully qualified domain names (FQDN) to work correctly. So when it comes to TOR, we can block this: torproject.org but we can’t block the exit nodes that power TOR. So if TOR is already installed, it will continue to work.
What is TOR?
At its core, TOR is about anonymity and privacy. It ensures that you can access whatever you want on the web have a high degree of confidence that you are not being tracked or watched.
The technology is free and easily consumed by novice and advanced users. It routes its traffic through something known as “nodes”. These nodes make up a massive network that routes and bounces traffic around the world until it arrives at its destination. It’s why it is so effective at anonymous communication.
Why DNS Filtering Won’t Stop TOR
DNS-based content filtering works by blocking access to specific domain names or returning altered responses for queries. While this is effective for blocking websites, it does not work well against TOR for several reasons:
- TOR Uses Hardcoded IPs
- TOR clients don’t rely on DNS to connect to relays; they use a list of hardcoded IP addresses from the TOR directory authorities.
- Even if you block known .onion service domains, users can still access the network using TOR’s built-in relays.
- Bridge and Obfuscated Nodes
- TOR provides bridge relays that help users bypass filtering. These relays are designed to avoid detection and are often distributed via out-of-band methods like email.
- Some bridges even use pluggable transports (like Meek and Obfs4) to make their traffic look like regular HTTPS or other encrypted protocols.
- Exit Nodes and Hidden Services Operate on IPs
- The TOR network does not rely on domain names. Instead, traffic is routed through direct IP addresses, which are not subject to DNS filtering.
- TOR Over VPN or Proxy
- If a user connects to a VPN first, then launches TOR, all DNS requests go through the VPN’s resolver, bypassing any local DNS filtering.
Because of these limitations, administrators must use network-level controls to effectively block TOR.
Blocking TOR on your Network
Blocking TOR on your network has to occur at your network gateway. DNS resolvers like CleanBrowsing, or any of the other options in the market, will not be able to completely block TOR.
The reason is because of the architecture we explained above. Each of the nodes are direct IP values, not domain names, which makes it impossible to block at the DNS resolver. The best solution is to track a TOR Node list and use that list to update your network firewall rules with blocks.
If you’re an enterprise, here are a few articles from different providers that can you help you block TOR on your Firewall appliance / network: