How to detect the TOR network with PHP

Written by Joseph MICACCIA, certified network expert - - the TOR Network


TOR is free software that render anonymous all the electronic communications. The Tor project is a non-profit organization dedicated to research, development and education on anonymity and online privacy. The logo is an onion because TOR has several layers, like onion.




Tor directs Internet traffic through a worldwide network of volunteers consisting of more than seven thousand relays to hide the location of a user to anyone who performs network monitoring or traffic analysis. TOR users are hard to identify, whether they are surfing the Net, using online or instant messaging, etc.

Thus, the use of Tor is intended to protect the privacy of users, their freedom and their ability to conduct confidential communications. It is not because we have nothing to hide that we must necessarily show everything.

Celles et ceux qui ne connaissent pas encore TOR auront tous les détails en visitant le , et les innombrables autres sites qui fournissent des tutoriels et des explications détaillées et très claires.

Cependant, pour les gestionnaires de sites Internet qui ont besoin de filtrer les internautes utilisant TOR, il existe une parade simple et efficace : TorDNSEL.

TorDNSEL, c'est quoi ?

C'est est une liste basée sur les DNS des nœuds de sortie TOR. Le précise la description de ce mécanisme.

On peut exploiter cette liste en utlisant un outil comme DIG ou via une simple requête DNS.

Les enregistrements dans TorDNSEL ont cette convention d'écriture :



Those who do not yet know TOR will have all the details by visiting the official website, wikipedia and countless other sites that provide tutorials and detailed explanations and very clear.

However, for the managers of websites that need to filter the users using discrete, there is a simple and effective parade: TorDNSEL.

TorDNSEL, what is it?

This is a list based on the DNS of the output nodes. The official website of TOR specifies the description of this mechanism.

We can use this list by using a tool like DIG or via a simple DNS query.

The records in TorDNSEL have this writing convention:


  • X : Client IP address, inverted
  • Y : TCP port of the server
  • Z : Public IP address of the server, inverted

So, to know if the surfer arriving on your site uses TOR, just make a DNS query and compare the result.

Here is a small function, in PHP, found on the Internet (unknown author) which allows to identify a user of TOR:

  1. function isTorRequest()
  2.    {
  3.    $reverse_client_ip = implode('.', array_reverse(explode('.', $_SERVER['REMOTE_ADDR'])));
  4.    $reverse_server_ip = implode('.', array_reverse(explode('.', $_SERVER['SERVER_ADDR'])));
  5.    $hostname = $reverse_client_ip . "." . $_SERVER['SERVER_PORT'] . "." . $reverse_server_ip . "";
  6.    return gethostbyname($hostname) == "";
  7.    }

It's a good basis for work, but it's not enough. We will see the possible improvements.

First, let us remember what the variables are:

  • $_SERVER['REMOTE_ADDR'] : The IP address of the client requesting the current page
  • $_SERVER['SERVER_ADDR'] : The IP address of the server from which the current script is being executed
  • $_SERVER['SERVER_PORT'] : The port of the server used for communication

It should be noted here that, with these parameters, the function may not work properly for at least two reasons:

  • $_SERVER['REMOTE_ADDR'] is not precise enough to identify the client's IP. The study of a function for the precise identification of the customer's IP adresse will be the subject of another article.
  • $_SERVER['SERVER_ADDR'] can return a private IP, unknown by the TOR network. The public IP address of the server must be used. There are several techniques for automatically identifying the public IP address of the server. Incidentally, it can be defined manually since, except in special cases, it does not change.

So, here is a possible improvement:

  1. function isTorRequest($IpDuClient)
  2.    {
  3.    $IpPubliqueDuServeur = 'XXX.XXX.XXX.XXX'; // renseigner ici l'adresse IP publique du serveur web
  4.    $reverse_client_ip   = implode('.', array_reverse(explode('.', $IpDuClient)));
  5.    $reverse_server_ip   = implode('.', array_reverse(explode('.', $IpPubliqueDuServeur )));
  6.    $hostname            = $reverse_client_ip . "." . $_SERVER['SERVER_PORT'] . "." . $reverse_server_ip . "";
  7.    return gethostbyname($hostname) == "";
  8.    }


For users wishing to test the operation of TOR, here is the link of the official site for downloading the TOR Browser, the browser allowing to use the TOR network. PDF


Rss feed of the article's comments

Comments are closed.