Blocking ChatGPT alone is not enough — students access thousands of AI alternatives that bypass single-domain blocks. This guide covers every defense layer using a continuously-updated blocklist of 16,024+ AI-tool domains.
Most districts start by blocking chat.openai.com and chatgpt.com. Within hours, students share alternatives on group chats and social media.
The AI chatbot landscape now includes thousands of domains — and new ones appear every day. A single-domain approach is whack-a-mole that IT staff cannot win.
Claude, Gemini, Perplexity, Poe, Character.ai, You.com, Phind, and hundreds more offer the same capabilities. Block one, and students move to the next.
Our database tracks 16,024+ AI-tool domains across 18 categories — the full scope of what students can access.
Students use proxy websites that relay requests to ChatGPT's API behind a different domain. These mirror sites register new domains frequently.
Our automated scanning pipeline checks 300,000+ new domains daily and flags proxies as they appear — often before students discover them.
Students use purpose-built essay generators, paraphrasers, and "AI humanizer" tools designed to evade plagiarism detectors.
These niche tools are the most likely to slip through a content filter that only blocks the major chatbot brands.
Your perimeter firewall is the first line of defense. Rules apply to every on-network device regardless of OS or browser — catching traffic before it ever leaves your network.
Prevents outbound connections to known AI-tool IP ranges and domains
Inspects the SNI field in TLS handshakes or uses DNS-based resolution to match traffic
No software installation needed on endpoints — works for all on-network devices
Most school networks run a dedicated NGFW (Palo Alto, Fortinet, Cisco, SonicWall) or a Linux-based gateway. Both support external domain lists.
Our AI Tools Blocklist is available as a plain-text EDL (External Dynamic List). Firewalls poll the list hourly and update block rules automatically — no manual intervention.
This script automates firewall blocking on Linux gateways. Here is what it does:
Downloads the AI Tools Blocklist domain feed
Resolves each domain to its current IP addresses
Loads IPs into an ipset and creates an iptables DROP rule
Runs daily via cron to keep the list fresh
#!/bin/bash # /opt/scripts/update-ai-blocklist-firewall.sh # Block AI chatbot domains at the firewall level using ipset + iptables API_KEY="YOUR_API_KEY" FEED_URL="https://feeds.aitoolsblocklist.com/v1/domains/all.txt" BLOCKLIST="/var/lib/ai-blocklist/domains.txt" IPSET_NAME="ai_blocked" # Download the latest domain list curl -s -H "Authorization: Bearer $API_KEY" \ "$FEED_URL" -o "$BLOCKLIST" echo "[$(date)] Downloaded $(wc -l < $BLOCKLIST) AI domains" # Create or flush the ipset ipset create $IPSET_NAME hash:ip maxelem 131072 -exist ipset flush $IPSET_NAME # Resolve each domain and add IPs to the set while IFS= read -r domain; do ips=$(dig +short "$domain" A 2>/dev/null | grep -E '^[0-9]') for ip in $ips; do ipset add $IPSET_NAME "$ip" -exist done done < "$BLOCKLIST" # Add the iptables rule (idempotent — checks before adding) iptables -C FORWARD -m set --match-set $IPSET_NAME dst -j DROP 2>/dev/null \ || iptables -I FORWARD -m set --match-set $IPSET_NAME dst -j DROP echo "[$(date)] Firewall updated: $(ipset list $IPSET_NAME | grep -c 'Members') IPs blocked" # Schedule this script via cron: # 0 4 * * * /opt/scripts/update-ai-blocklist-firewall.sh >> /var/log/ai-blocklist.log 2>&1
Palo Alto firewalls support EDLs natively. Point the firewall at our hosted endpoint and it refreshes automatically — no scripting required.
# Palo Alto — External Dynamic List Configuration # Navigate to: Objects → External Dynamic Lists → Add Name: AI-Tools-Blocklist Type: Domain List Source: https://feeds.aitoolsblocklist.com/v1/edl/paloalto?key=YOUR_API_KEY Refresh: Hourly Description: AI chatbot and tool domains — updated daily from 102M domain scan # Create a Security Policy rule: Source Zone: Student-VLAN Destination: Any URL Category: AI-Tools-Blocklist (EDL) Action: Deny Log Forwarding: Student-Activity-Log # Commit the configuration and verify: > test dynamic-list AI-Tools-Blocklist # Expected: List loaded with 42,000+ entries
For detailed firewall integration instructions for all major vendors — including Fortinet FortiGate, Cisco ASA, SonicWall, and pfSense — see the Firewall Admin AI Blocklist Guide.
DNS filtering intercepts domain resolution before the browser ever connects. It is the most effective single layer — working regardless of device type, browser, or application.
Student types chatgpt.com into a browser
Device sends a DNS query to resolve the domain
DNS filter returns a block page (or NXDOMAIN) instead of the real IP
No data ever leaves the school network for that domain
Fast, lightweight — no TLS inspection or deep packet inspection required.
DNS filtering covers the entire network perimeter in one step. Every device on school Wi-Fi resolves DNS through the same infrastructure:
The most widely deployed DNS filter in K-12. Supports custom domain lists and integrates with Active Directory and Google Workspace.
Our feed is formatted for direct import into Umbrella's custom integration list. Every AI-tool DNS query is blocked across all school sites — even for remote learners using the roaming client.
Districts running their own DNS — Pi-hole, AdGuard Home, or BIND with RPZ — can ingest our domain list directly.
Pi-hole accepts blocklists as plain-text URLs. Point it at our feed endpoint with a daily refresh and it sinkholes every AI-tool domain to 0.0.0.0.
# Pi-hole — Add AI Tools Blocklist as a custom adlist # Navigate to: Group Management → Adlists → Add a new adlist Address: https://feeds.aitoolsblocklist.com/v1/domains/all.txt?key=YOUR_API_KEY Comment: AI Tools Blocklist — 16,024+ AI chatbot & tool domains # After adding, update gravity: $ pihole -g [i] Target: https://feeds.aitoolsblocklist.com/v1/domains/all.txt [✓] Status: Downloaded 42,317 domains [✓] Gravity updated successfully # Verify blocking works: $ dig chatgpt.com @127.0.0.1 ;; ANSWER SECTION: chatgpt.com. 0 IN A 0.0.0.0 $ dig claude.ai @127.0.0.1 claude.ai. 0 IN A 0.0.0.0 # Schedule automatic gravity updates (daily at 3 AM): $ crontab -e 0 3 * * * pihole -g >> /var/log/pihole-gravity.log 2>&1
NextDNS is popular in smaller districts and charter schools — no on-premises infrastructure required. Custom denylist URLs refresh automatically.
# NextDNS — Custom Denylist # Navigate to: Settings → Denylist → Add a denylist URL: https://feeds.aitoolsblocklist.com/v1/domains/all.txt?key=YOUR_API_KEY Name: AI Tools Blocklist (16,024+ domains) # NextDNS refreshes the list automatically every 24 hours. # No cron jobs, no scripts — it's fully managed. # Configure your school DHCP to point DNS at NextDNS: Primary DNS: 45.90.28.0 Secondary DNS: 45.90.30.0 # For encrypted DNS (recommended), use the NextDNS profile: DoH: https://dns.nextdns.io/YOUR_CONFIG_ID DoT: YOUR_CONFIG_ID.dns.nextdns.io
Over 60% of US K-12 devices are Chromebooks managed through Google Workspace. Chrome OS URL blocking travels with the device — school, home, and mobile hotspots.
The URLBlocklist policy applies to every managed Chrome browser instance. When a student navigates to a blocked URL, Chrome shows a native "This site is blocked" page.
No network request is made, and it works even on personal Wi-Fi with no DNS filtering. Policy syncs within minutes of any update.
Google Admin's URL blocklist supports approximately 1,000 entries. This covers the top AI chatbots — ChatGPT, Claude, Gemini, Perplexity, and the top 100 alternatives.
Use Chrome policies as a belt-and-suspenders measure alongside your primary content filter, which handles the full 16,024+ domain feed.
# Google Admin Console — Chrome URL Blocklist for Student Devices # Path: Devices → Chrome → Settings → Users & Browsers # Select the "Students" Organizational Unit # Under "URL Blocking" → "URL Blocklist", add these domains: chatgpt.com chat.openai.com openai.com claude.ai anthropic.com gemini.google.com bard.google.com copilot.microsoft.com perplexity.ai poe.com character.ai you.com phind.com quillbot.com writesonic.com jasper.ai copy.ai rytr.me wordtune.com grammarly.com/ai notion.so/product/ai midjourney.com stability.ai huggingface.co/chat deepai.org # ... add up to ~1,000 high-priority domains # See our sample CSV for the full prioritized list # IMPORTANT: Use "URLAllowlist" to exempt teacher/admin OUs: # Select "Teachers" OU → URL Blocking → URL Allowlist # Add any domains teachers need for lesson planning
For districts managing hundreds of OUs or requiring automated updates. This Python script:
Fetches the top AI chatbot domains from our feed
Authenticates with Google Admin SDK via a service account
Pushes the URL blocklist to your student OU's Chrome policy
# deploy_chrome_blocklist.py # Automates Chrome URLBlocklist updates via Google Admin SDK import requests from google.oauth2 import service_account from googleapiclient.discovery import build API_KEY = "YOUR_BLOCKLIST_API_KEY" FEED_URL = "https://feeds.aitoolsblocklist.com/v1/domains/chatbots-top1000.txt" ORG_UNIT = "/Students" # Fetch the top 1000 AI chatbot domains response = requests.get(FEED_URL, headers={"Authorization": f"Bearer {API_KEY}"}) domains = response.text.strip().split("\n") print(f"Fetched {len(domains)} priority AI chatbot domains") # Authenticate with Google Admin SDK creds = service_account.Credentials.from_service_account_file( "service-account.json", scopes=["https://www.googleapis.com/auth/admin.directory.orgunit", "https://www.googleapis.com/auth/chrome.management.policy"] ) service = build("chromepolicy", "v1", credentials=creds) # Push the URL blocklist to the Students OU # This updates the Chrome URLBlocklist policy for all # managed Chromebooks in the target organizational unit print(f"Deployed {len(domains)} domains to Chrome policy for {ORG_UNIT}")
Most districts already run GoGuardian, Lightspeed, Securly, iBoss, or Bark for CIPA compliance. Adding our AI Tools Blocklist is the fastest path to comprehensive AI blocking.
Embedded iframes loading AI tools within legitimate websites
AJAX calls and API requests from browser extensions
HTTPS traffic that simpler firewall rules cannot inspect
Create a custom URL list in GoGuardian Admin and upload our domain feed. Assign it to student organizational units.
GoGuardian's Chrome extension enforces the block on every managed Chromebook, even off-network. See the K-12 content filtering guide for step-by-step instructions.
Supports custom category creation and bulk URL imports. Import our domain list as a "Blocked" custom category.
Lightspeed's Smart Agent ensures blocking persists on take-home devices. Category-level feeds let you block AI writing tools while permitting AI tutoring platforms.
Cloud-based filter that accepts custom URL policies. Add our feed as a "Deny" list and apply it to student groups.
Certificate-based filtering catches HTTPS domains. Provides detailed usage reports for administrators and parents via the Securly Home portal.
GoGuardian, Lightspeed, and Securly each maintain their own URL categorization databases. However, their AI-tool coverage varies significantly.
Most classify ChatGPT and a handful of major platforms. But the long tail remains uncategorized:
Thousands of lesser-known paraphrasers and essay spinners
Proxy chatbot sites with frequently-changing domains
Specialized code generators and homework solvers
Our dedicated AI-tool feed fills that gap with 16,024+ domains classified into 18 functional categories, updated daily from a scan of 102 million domains.
Blocking ChatGPT addresses the most visible problem but misses the vast majority of the attack surface. The AI-tool ecosystem has exploded since 2023.
Students are remarkably resourceful. TikTok, Reddit, and Discord are full of "ChatGPT alternative" recommendations — often targeting students who have already been blocked.
We track 16,024+ AI-tool domains across 18 categories. The breakdown below reveals just how large the long tail is.
Most of the tools students use for academic dishonesty are not named "ChatGPT."
| General AI Chatbots | 2,800+ domains |
| AI Writing Assistants | 4,200+ domains |
| AI Paraphrasers & Humanizers | 1,600+ domains |
| AI Code Generators | 3,100+ domains |
| AI Homework Solvers | 900+ domains |
| ChatGPT Proxy Sites | 700+ domains |
Manually tracking AI alternatives is a full-time job no school IT department has staff for. Our automated pipeline handles it:
Scans 102 million domains daily for new AI tools
Classifies new tools within 24 hours of going live
Automatically adds them to all feed formats
Browse the full AI Tools Database to see coverage, or review the 18-category taxonomy to understand how tools are classified.
Blocking is only half the equation. Active monitoring reveals which AI tools students try to reach, how often bypasses occur, and whether new tools are slipping through.
Configure your DNS or content filter to log every blocked AI-tool request. Aggregate logs by student, device, time of day, and domain.
High-frequency block events from a single student may indicate systematic searching for unblocked alternatives — a signal for follow-up.
Export logs periodically for CIPA audit documentation
Demonstrates active, effective technology protection
See the CIPA compliance guide for audit trail requirements
Students may try VPNs, proxy services, Tor, or DNS-over-HTTPS (DoH) to bypass blocks. Watch for these patterns:
DNS traffic to non-school resolvers (8.8.8.8, 1.1.1.1)
VPN protocol signatures on outbound traffic
Connections to known proxy/VPN services
On managed Chromebooks, disable DNS setting changes and block VPN extensions via Google Admin. This eliminates the most common bypass vectors for Chrome OS.
#!/bin/bash # /opt/scripts/ai-access-report.sh # Generate a daily report of AI chatbot access attempts from DNS logs LOG_DIR="/var/log/dns-filter" REPORT="/var/reports/ai-access-$(date +%Y%m%d).txt" BLOCKLIST="/var/lib/ai-blocklist/domains.txt" echo "AI Chatbot Access Report — $(date +%Y-%m-%d)" > "$REPORT" echo "========================================" >> "$REPORT" # Top 20 most-requested blocked AI domains echo "" >> "$REPORT" echo "Top 20 Blocked AI Domains:" >> "$REPORT" grep -f "$BLOCKLIST" "$LOG_DIR"/query.log \ | awk '{print $5}' \ | sort | uniq -c | sort -rn \ | head -20 >> "$REPORT" # Students with most AI access attempts echo "" >> "$REPORT" echo "Top 10 Devices by AI Access Attempts:" >> "$REPORT" grep -f "$BLOCKLIST" "$LOG_DIR"/query.log \ | awk '{print $2}' \ | sort | uniq -c | sort -rn \ | head -10 >> "$REPORT" # Hourly distribution (detect patterns: spikes during testing hours?) echo "" >> "$REPORT" echo "Hourly Distribution of AI Access Attempts:" >> "$REPORT" grep -f "$BLOCKLIST" "$LOG_DIR"/query.log \ | awk -F: '{print $1}' \ | awk '{print $2}' \ | sort | uniq -c >> "$REPORT" echo "[$(date)] Report generated: $REPORT"
No single layer is foolproof. The most effective strategy combines multiple layers, each catching what the others miss.
Blocks IP-level and domain-level connections for all on-network devices. The first wall — fast and broad.
Intercepts domain resolution before connections are established. Covers all devices and applications.
Browser-level filtering via GoGuardian, Lightspeed, or Securly. Works on and off network.
Device-level URL blocking that travels with the Chromebook. The last line of defense for 1:1 programs.
Some districts maintain their own AI blocklists via shared spreadsheets. This approach fails for three reasons:
Follow this checklist to deploy comprehensive AI blocking. Most districts complete the entire process in under a day.
Get the full AI Tools Blocklist — 16,024+ domains, 18 categories, updated daily. Deploy it across every layer of your school network in under a day.
Tell us about your school network — device types, content filter vendor, and number of students — and we will configure a feed that covers every layer.