Blocking the TikTok app on the router with a DNS block list has been evasive for some people. There were multiple block lists available and the list of domains seemed to be changing over time. A recent reddit post reported that none of the available block lists worked. There were even rumors that TikTok was using DNS-over-HTTPS to avoid being blocked by DNS filters. If this were true, it is impossible for DNS blocking techniques such as pi-hole and OpenDNS to block the TikTok app.
In this post, I’m reporting our findings using the pcWRT router to block the TikTok app.
So is TikTok using DNS-over-HTTPS (DOH) to avoid DNS filtering? Our testing on the Samsung S7 showed otherwise. We’ve successfully blocked the TikTok app on the Samsung phone with DNS blocking only.
We entered three domains in our block list to block the TikTok app. And that’s all it took.
But surely it can’t be that easy? Of course not.
Block domains on the pcWRT router are not single domains. For example, when you enter
tiktokv.com in the block list, the router blocks all domains that ends with
tiktokv.com, which include
frontier-va.tiktokv.com, etc., etc.
The hard part is, if you have to list every single domain to block on your router, it is an almost impossible task. The list of domains to block may be large, and it may be changing over time.
But if you are using pi-hole, the following regular expression list basically does the same thing:
So in conclusion, it is possible to block the TikTok app with DNS only. But it might be challenging if you have to list each and every domain on your router.
For phones with Android 9 and above, the user can choose to use DNS-Over-TLS (DoT). Android offers two options, Automatic or manual setup.
When the user chooses “Automatic”, DNS blocking alone suffices to block the TikTok app. Because the DNS server handed out to the smartphone is that of the router, and the router doesn’t support DOH.
When the user enters a Private DNS provider hostname, DNS blocking alone does not block the TikTok app. On the pcWRT router, you’ll need to turn on “Enforce Access Control” on the profile for the smartphone.
If you have another router, you need to block TCP port 853 (the DoT port) in order to block TikTok. But that also blocks all DNS name resolution from the device. Basically you are forcing the user not to use a manually configured DoT server.