How to Block Tor on Your Network

Step 1: Why DNS Alone Can't Block Tor

Unlike most internet applications, Tor does not rely on DNS to establish connections. The Tor client uses hardcoded IP addresses to contact directory authorities and relay nodes. This means that even if you block every Tor-related domain at the DNS level, the Tor client can still connect directly by IP once it is installed.

DNS filtering does serve one important purpose: it can block access to the Tor Project website and Tor Browser download pages. If users cannot download the Tor Browser in the first place, they cannot use it. CleanBrowsing blocks Tor-related domains on filtered networks.

However, DNS blocking alone is not sufficient because:

• Hardcoded IPs: Tor connects to directory authorities and relays using IP addresses directly, bypassing DNS entirely.
• Bridges: Tor bridges are unpublished relay nodes designed specifically to evade blocking. Their IPs are not in public lists.
• Pluggable transports: Protocols like obfs4 and meek disguise Tor traffic to look like normal HTTPS or CDN traffic.
• Portable installation: Tor Browser can be run from a USB drive without installation, so even blocking the download site is not foolproof.

This is why blocking Tor requires a layered approach that combines DNS, firewall rules, deep packet inspection, and endpoint controls.

Step 2: Block Tor Directory Authorities

When Tor Browser starts, it contacts a set of directory authority servers to get the current list of relays. There are approximately 10 directory authority servers, and their IP addresses are publicly known and rarely change. Blocking these IPs prevents Tor from bootstrapping its connection.

Block Directory Authority IPs via Firewall

Add firewall rules to block outbound connections to the known directory authority IPs. Here is an example using iptables on Linux:

Block Known Exit Node IPs

The Tor Project publishes a list of exit node IPs that is updated regularly. You can download this list and use it in your firewall rules. Sources include:

• Tor Project bulk exit list: Available at check.torproject.org/torbulkexitlist
• Dan.me.uk Tor node list: A community-maintained list of Tor relay and exit node IPs.
• Commercial threat feeds: Many NGFW vendors include Tor IP lists in their threat intelligence subscriptions.

Important: Tor relay and exit node IPs change frequently. Automate the download and update of these lists on a schedule (daily or more often) to maintain effectiveness.

Step 3: Deep Packet Inspection and Layer 7 Filtering

Even with directory authority and exit node IPs blocked, Tor can still connect through bridges and pluggable transports that disguise traffic. Deep Packet Inspection (DPI) can identify Tor traffic patterns regardless of the destination IP.

What DPI Can Detect

DPI examines traffic at the application layer and can identify Tor's distinctive TLS handshake patterns, even when running on standard ports like 443. Enterprise-grade firewalls with DPI capabilities include:

Pluggable Transports to Watch For

Tor uses pluggable transports to evade DPI. The main ones to be aware of are:

• obfs4: The most common pluggable transport. Obfuscates Tor traffic to look like random data. Some DPI engines can still detect it.
• meek: Routes Tor traffic through CDN providers (Azure, Amazon CloudFront) to make it look like normal HTTPS to a CDN. Very difficult to block without also blocking the CDN.
• snowflake: Uses WebRTC peer connections as bridges. Detection requires monitoring for unusual WebRTC patterns.

Keep your DPI signatures updated, as Tor developers continuously evolve pluggable transports to evade detection.

Step 4: Layered Approach: Combine All Methods

No single technique can fully block Tor. The most effective strategy combines multiple layers, each addressing a different aspect of Tor's connectivity. Here is a comprehensive checklist:

DNS Layer

• Block Tor download sites: Use DNS filtering (CleanBrowsing or hosts file) to block torproject.org and mirror sites that host Tor Browser downloads.
• Block Tor-related domains: Block known Tor bridge distribution domains and onion-related services.

Firewall Layer

• Block directory authorities: Block outbound connections to the ~10 known directory authority IPs.
• Block exit node IPs: Maintain and auto-update a deny list of known Tor relay and exit node IPs.
• Block common Tor ports: Block outbound TCP on ports 9001 (ORPort) and 9030 (DirPort) where possible.

DPI Layer

• Enable Tor signatures: Use NGFW App-ID or DPI to detect Tor traffic over any port, including 443.
• Monitor for pluggable transports: Watch for obfs4, meek, and snowflake patterns where your firewall supports it.

Endpoint Layer

• Block Tor Browser installation: Use MDM, AppLocker, or WDAC to prevent Tor Browser from being installed or executed on managed devices.
• Restrict USB and portable apps: Tor Browser can run from a USB drive. Restrict removable media execution on managed devices.
• Monitor for Tor bridge usage: Alert on connections to unusual IPs on port 443 that match Tor bridge patterns.

Remember: Blocking Tor is a best-effort strategy. Determined users with technical skills may find ways around these controls. The goal is to make casual Tor usage impractical and to detect sophisticated attempts through monitoring and alerting.

For more details, see: How to Block the Tor Network (DNS & Firewall)