The Effect of DNS on Tor's Anonymity

TL;DR

This paper demonstrates how DNS traffic can significantly increase the vulnerability of Tor users to correlation attacks, revealing new attack methods and quantifying the risks posed by DNS lookups in anonymous communication.

Contribution

It introduces DefecTor attacks that incorporate DNS traffic, develops methods to identify DNS resolvers of exit relays, and analyzes the real-world impact on Tor's anonymity.

Findings

Google's DNS resolver observes nearly 40% of DNS requests exiting Tor.

DNS requests often traverse different ASes than TCP connections, exposing more traffic to adversaries.

DefecTor attacks can often identify the websites users visit with perfect accuracy, especially for less popular sites.

Abstract

Previous attacks that link the sender and receiver of traffic in the Tor network ("correlation attacks") have generally relied on analyzing traffic from TCP connections. The TCP connections of a typical client application, however, are often accompanied by DNS requests and responses. This additional traffic presents more opportunities for correlation attacks. This paper quantifies how DNS traffic can make Tor users more vulnerable to correlation attacks. We investigate how incorporating DNS traffic can make existing correlation attacks more powerful and how DNS lookups can leak information to third parties about anonymous communication. We (i) develop a method to identify the DNS resolvers of Tor exit relays; (ii) develop a new set of correlation attacks (DefecTor attacks) that incorporate DNS traffic to improve precision; (iii) analyze the Internet-scale effects of these new attacks on Tor users; and (iv) develop improved methods to evaluate correlation attacks. First, we find that there exist adversaries who can mount DefecTor attacks: for example, Google's DNS resolver observes almost 40% of all DNS requests exiting the Tor network. We also find that DNS requests often traverse ASes that the corresponding TCP connections do not transit, enabling additional ASes to gain information about Tor users' traffic. We then show that an adversary who can mount a DefecTor attack can often determine the website that a Tor user is visiting with perfect precision, particularly for less popular websites where the set of DNS names associated with that website may be unique to the site. We also use the Tor Path Simulator (TorPS) in combination with traceroute data from vantage points co-located with Tor exit relays to estimate the power of AS-level adversaries who might mount DefecTor attacks in practice.