---
title: DNS query to Tor onion domain
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > DNS query to Tor onion domain
---

> For the complete documentation index, see [llms.txt](https://docs.datadoghq.com/llms.txt).

# DNS query to Tor onion domain

{% alert level="danger" %}
This rule is part of a beta feature. To learn more, [contact Support](https://docs.datadoghq.com/help/).
{% /alert %}
Classification:attackTactic:[TA0011-command-and-control](https://attack.mitre.org/tactics/TA0011)Technique:[T1071-application-layer-protocol](https://attack.mitre.org/techniques/T1071) 
## Goal{% #goal %}

Detect DNS queries to Tor hidden service domains and Tor2Web gateway domains across any OCSF-normalized log source.

## Strategy{% #strategy %}

This rule monitors OCSF DNS activity events (`@ocsf.class_uid:4003`) where the queried hostname matches a Tor-related domain suffix. This covers direct `.onion` lookups as well as Tor2Web proxies and gateway services (for example, `.onion.link`, `.tor2web.com`, `.torlink.co`, `.tor-gateways.de`, `.t2w.pw`, `.hiddenservice.net`) that allow clearnet access to Tor hidden services. Any such query reaching a standard resolver is inherently suspicious — it indicates software attempting to reach Tor hidden services, which threat actors routinely use for C2 communication, data exfiltration, and access to underground marketplaces.

## Triage & Response{% #triage--response %}

1. Identify the host behind `{{@ocsf.src_endpoint.ip}}` and determine whether Tor Browser or any Tor-enabled software is sanctioned on that asset.
1. Examine `{{@ocsf.query.hostname}}` — correlate the specific `.onion` address against known malicious Tor hidden services if threat intelligence is available.
1. Correlate with process creation and network connection events from the same source around the alert window to identify what initiated the query.
1. Look for outbound connections to Tor guard nodes (port 9001/9030) or traffic through known Tor exit relays from the same host.
1. If the activity is confirmed malicious, begin your organization's incident response process and isolate the host to prevent potential data exfiltration.
