• How to block the TikTok app on the router?


    Blocking the TikTok app on the router with a DNS block list has been evasive for some people. There were multiple block lists available and the list of domains seemed to be changing over time. A recent reddit post reported that none of the available block lists worked. There were even rumors that TikTok was using DNS-over-HTTPS to avoid being blocked by DNS filters. If this were true, it is impossible for DNS blocking techniques such as pi-hole and OpenDNS to block the TikTok app.

    In this post, I’m reporting our findings using the pcWRT router to block the TikTok app.

    So is TikTok using DNS-over-HTTPS (DOH) to avoid DNS filtering? Our testing on the Samsung S7 showed otherwise. We’ve successfully blocked the TikTok app on the Samsung phone with DNS blocking only.

    We entered three domains in our block list to block the TikTok app. And that’s all it took.

    But surely it can’t be that easy? Of course not.

    Block domains on the pcWRT router are not single domains. For example, when you enter tiktokv.com in the block list, the router blocks all domains that ends with tiktokv.com, which include mon.tiktokv.com, mon-va.tiktokv.com, frontier-va.tiktokv.com, etc., etc.

    The hard part is, if you have to list every single domain to block on your router, it is an almost impossible task. The list of domains to block may be large, and it may be changing over time.

    But if you are using pi-hole, the following regular expression list basically does the same thing:

    (\.|^)tiktok\.com$
    (\.|^)tiktokcdn\.com$
    (\.|^)tiktokv\.com$

    So in conclusion, it is possible to block the TikTok app with DNS only. But it might be challenging if you have to list each and every domain on your router.

    Update for Android Private DNS

    For phones with Android 9 and above, the user can choose to use DNS-Over-HTTPS (DNS Over TLS is probably more proper). Android offers two options, Automatic or manual setup.

    When the user chooses “Automatic”, DNS blocking alone suffices to block the TikTok app. Because the DNS server handed out to the smartphone is that of the router, and the router doesn’t support DOH.

    When the user enters a Private DNS provider hostname, DNS blocking alone does not block the TikTok app. On the pcWRT router, you’ll need to turn on “Enforce Access Control” on the profile for the smartphone.

    If you have another router, you need to block TCP port 853 (the DOH port) in order to block TikTok. But that also blocks all DNS name resolution from the device. Basically you are forcing the user not to use a manually configured DOH server.

4 Responses so far.

  1. pcwrt says:

    For the record, here’s the list of domains tried by the TikTok app during our test.

    api16-core-c-alisg.tiktokv.com
    api16-core-c-useast1a.tiktokv.com
    api16-core-va.tiktokv.com
    api19-core-c-useast1a.tiktokv.com
    api19-core-va.tiktokv.com
    api19-normal-c-useast1a.tiktokv.com
    api21-core-c-alisg.tiktokv.com
    api22-core-c-useast1a.tiktokv.com
    api22-normal-c-useast1a.tiktokv.com
    dm16-alisg.tiktokv.com
    dm16-useast1a.tiktokv.com
    frontier-va.tiktokv.com
    gecko16-normal-c-useast1a.tiktokv.com
    log16-normal-c-useast1a.tiktokv.com
    mon.tiktokv.com
    mon-va.tiktokv.com
    pull-cmaf-f16-ab.tiktokcdn.com
    pull-cmaf-f16.tiktokcdn.com
    pull-cmaf-f5.tiktokcdn.com
    pull-f5-ab.tiktokcdn.com
    pull-f5.tiktokcdn.com
    pull-flv-f11-ab.tiktokcdn.com
    pull-flv-f11.tiktokcdn.com
    pull-flv-f1-ab.tiktokcdn.com
    pull-flv-f1.tiktokcdn.com
    pull-flv-l11.tiktokcdn.com
    pull-flv-l1.tiktokcdn.com
    pull-hls-f11-ab.tiktokcdn.com
    pull-hls-f11.tiktokcdn.com
    pull-hls-f1-ab.tiktokcdn.com
    pull-hls-f1.tiktokcdn.com
    pull-hls-f5-ab.tiktokcdn.com
    pull-hls-f5.tiktokcdn.com
    pull-hls-l11.tiktokcdn.com
    pull-hls-l1.tiktokcdn.com
    pull-hls-q5.tiktokcdn.com
    pull-hls-w5.tiktokcdn.com
    pull-q5.tiktokcdn.com
    pull-rtmp-f11-ab.tiktokcdn.com
    pull-rtmp-f11.tiktokcdn.com
    pull-rtmp-f1-ab.tiktokcdn.com
    pull-rtmp-f1.tiktokcdn.com
    pull-rtmp-l11.tiktokcdn.com
    pull-rtmp-l1.tiktokcdn.com
    pull-w5.tiktokcdn.com
    tiktok.com
    webcast16-normal-c-useast1a.tiktokv.com
    xlog-va.tiktokv.com

  2. Casino says:

    pcWRT supports regular expression. Can i write these ones below in the block list?

    (\.|^)tiktok\.com$
    (\.|^)tiktokcdn\.com$
    (\.|^)tiktokv\.com$

Leave a Reply