Another nice thing Tor provides is free NAT busting. If you're behind two layers of NAT and want to expose a service elsewhere, you can use Tor as an alternative for ngrok and other services. It even comes with basic authentication support through public keys, so you can expose any service you want without worrying about someone else finding and accessing it.
I wouldn't call Tor a secure alternative to DNS, though. First of all, DNSSEC is easy to set up on a domain or in your DNS resolver settings if you care about such things (even if the underlying protocol is kinda shit), and second of all there's no way to know if hackernewsfjsushfoufbeldufbfof.onion is the real service or if you need to go to hackernewsfkfhfofusnsodifnekdj.onion; you can bookmark one and hope it's the official source, but it's basically TOFU for domains. You could use the special onion location header to specify the real onion address, but then you're back to trusting DNS again.
For targets of interest, those .onion addresses found on the ‘clear net’ could be switched to another similar .onion on the fly by whatever security service and just for yours truly. The switcheroo.
I would like to imagine an org could get their SSL certificate issued to both news.ycombinator.com and hackernewsfjsushfoufbeldufbfof.onion (since you can get those now), and you (or your tor client) could show authenticity by showing "this site is also the authority for: news.ycombinator.com".
That will work, but it doesn't work for your standard, cheap, DV certificates. HTTPS over Tor works and is actually done by a few domains. Again, you'll be trusting the clearweb authentication mechanisms (and Tor isn't going to submit the sites you visit for certificate transparency checks) so the advantages quickly go away.
Presumably BBC would DMCA any site on clearnet that ripped their content and pretended to be the official site.
With an onion site on Tor they would not be able to do so easily.
But hopefully if they were running an onion site and not any regular site, they would mention their onion address frequently on their TV channel, and that way many people would know the real address.
Tor lets you share a URL with a domain name .onion[0]
That others can connect to securely. So long as you can connect to the tor network you don't need to worry about firewalls.
One criticism is that while onion addresses are secure and have authentication built in (it's kind of like if websites could be connected to by the public key of their SSL certificate) they are hard for humans to compare.
The problem is chicken and egg you have to connect over SSL using DNS to get the onion address if one is advertised.
So the first time you access it you just assume it's trust worthy. "Trust on first use" TOFU.
That's not an issue of Tor. The same thing happens in the clear web, how do you know www.bbc.com is the BBC you trust from the TV?.
That happens to any domain, in fact, that happens to any source of information.
How did you start trusting in your current religion or politics?. Chances are that you were convinced by a source(s) that for some reason you previously decided to relied and trust.
We build some kind of web-of-trust in our heads, and it's normal that we do not trust in any .onion address initially. Eventually we import trust from sources outside of Tor that we currently trust (like you did by getting bbc's .onion address from its website), and then we start adding some .onion addresses to our "trusted sources" list
I suppose your criticism is that last step of adding that .onion address to your trusted sources is really painful. It's easy to remember www.bbc.com, but not its .onion address. We eventually need to automate this, something like password managers but for trusted sources
Presumably once Reddit closed /r/darknetmarkets discussion moved to forums or probably Discord.
Back in the late 90s my local car boot sale (like a jumble sale), sometimes sold lists of websites. I never really knew what was on them but it feels a bit like what we're back to now.
I wouldn't call Tor a secure alternative to DNS, though. First of all, DNSSEC is easy to set up on a domain or in your DNS resolver settings if you care about such things (even if the underlying protocol is kinda shit), and second of all there's no way to know if hackernewsfjsushfoufbeldufbfof.onion is the real service or if you need to go to hackernewsfkfhfofusnsodifnekdj.onion; you can bookmark one and hope it's the official source, but it's basically TOFU for domains. You could use the special onion location header to specify the real onion address, but then you're back to trusting DNS again.