The Tor network uses volunteer-operated relays to host a distributed, anonymous network. With its goal of reducing the risks of traffic analysis, it ensures that no single point can link a user to their destination. Although Tor has many legitimate uses, there are reasons for a network administrator to want to block all Tor-based traffic on a corporate network.
In short, it's not possible to completely block Tor with Umbrella. When blocking the Proxy/Anonymizer category, torproject.org is blocked; however, user-owned devices may already have the Tor browser installed and bring it onto the network.
Tor acts as a proxy. After opening a TCP connection, a payload encoding the address and port of the destination host will be sent to the exit node. Upon receiving this, the exit node will resolve the address as necessary.
Below is additional information to keep in mind.
- Tor onion services use the .onion TLD, which is not recognized by the root DNS servers. Tor is required to access .onion domains.
- The most common way to block Tor traffic would be to locate an updating list of Tor exit nodes and configure a firewall to block these nodes. A company policy to prevent Tor use may also go a long way to cease its use.
- Unfortunately, individual configurations are not something OpenDNS/Cisco Umbrella is able to assist in supporting, as each firewall has a unique configuration interface and these vary greatly. If you are uncertain, you should check your router or firewall documentation or contact the manufacturer to see if this is possible.
See the Tor Project's Abuse FAQ for more information on blocking Tor: I want to ban the Tor network from my service. This is mostly for service providers wanting to block Tor users from accessing their service, but also contains useful links for network administrators.