A team of researchers discovered a new method that allows actors to deanonymize Tor users by exploiting the domain name system (DNS).
A team of researchers discovered a new method that allows actors to deanonymize Tor users by exploiting the domain name system (DNS).

A team of researchers discovered a new method that allows actors to deanonymize Tor users by exploiting the domain name system (DNS). The research team, Nick Feamster, Laura M. Roberts, and Philipp Winter from Princeton University; Tobias Pulls from Karlstad University; and Benjamin Greschbach from KTH Royal Institute of Technology, moved beyond earlier methods used in identifying Tor users.

Earlier efforts to deanonymise Tor users analyzed traffic from TCP connections. The researchers wrote in a post on the Information Technology Policy's ‘Freedom to Tinker' blog that “past research likely underestimated the threat of correlation attacks” because entities like Internet service providers (ISP) and Internet exchange points are able to monitor some DNS traffic, but are unable to monitor web traffic coming out of the Tor network.

The researchers found noted that Google's public DNS servers makes up 40% of Tor's exit bandwidth, a ratio that they called “an alarmingly high number for a single organization,” on the research report's project page. The researchers called on Tor relay operators to establish more diversity in how exit relays resolve DNS domains.

The team plans to work with exit relay operators to improve DNS setup, according to Princeton postdoctoral researcher Philipp Winter, one of the researchers involved in the research report. “That way, we hope to avoid a situation where Google gets to see a significant amount of DNS requests exiting the Tor network,” Winter wrote in an email to SCMagazine.com. “I don't like the idea that an advertising company gets to learn about so many websites that Tor users are visiting.”

Last September, Tor Browser lead developer Mike Perry submitted a draft proposal to defend against website traffic fingerprinting and hidden service circuit setup fingerprinting attacks.

Winter noted that there is “not much that users can or should do” to address these risks discovered in the report. He suggested that users follow The Tor Project's official recommendations and not modify the Tor Browser significantly “in order to ‘not stick out.'”