DNS traffic monitoring can be used to unmask users of the Tor network by enhancing well-known attacks to trace users with high degrees of accuracy, according to researchers.

Researchers from Karlstad University, Princeton University and the KTH Royal Institute of Technology have devised a way to leverage DNS traffic records to create a new kind of attack designed to unmask users of the Tor network.

With almost two million daily users, Tor, also known as the onion router, is a network made up of relays and nodes which help mask users and their IP addresses.

Ran by the non-profit Tor Project, Tor is used by activists, journalists and the privacy-conscious worldwide, as well as a small slice of users who use it to access Dark Web services and for illegal activity.

The domain name system (DNS) maps domains into machine-readable IP addresses, allowing users to access websites through human-readable names rather than strings of numbers. This system is a fundamental building block of the web, and it also appears to be a system that can be leveraged to track Tor users.

According to the research team, it is possible to combine the monitoring of DNS requests with well-known fingerprinting techniques to create a new type of "DNS-enhanced website fingerprinting attack."

The researchers said:

"The Tor Project is upfront about its limitations. [..] It is well understood that low-latency anonymity networks such as Tor cannot protect against so-called global passive adversaries.



We define such adversaries as those with the ability to monitor both network traffic that enters and exits the network. Then the adversary can run a correlation attack, meaning that it can match packets that go into the network to packets that leave it, or in other words, it can link a client's identity to her activity, and thus, break anonymity."

Fingerprinting is one such way to break the anonymity Tor offers. These kinds of passive attacks use weaknesses in the Tor network to watch and wait for hidden services to be accessed before potentially uncovering not only the user's true IP address but the physical location of servers in some cases.

Companies which operate open DNS resolvers, such as Google, are in the position to facilitate or use such attacks. By monitoring DNS traffic, attackers can "enhance a website fingerprinting attack to be highly reliable," and this works particularly well for websites which are not visited frequently -- as their DNS traffic records are likely to stand out.

Throughout their research, the team also discovered that roughly one-third of DNS requests sent through Tor exit relays are routed through Google's public resolvers -- which is an "alarmingly high fraction for a single company," as Tor aims to avoid centralized points and servers to keep its users hidden.

"Although Tor is reasonably decentralized, our work shows that this does not hold for the wider ecosystem that Tor exists in," the team says.

See also: Over 100 suspicious, snooping Tor nodes discovered

So what does this mean for Tor users? The security researchers say there is no immediate cause for concern, as "adversaries that can already monitor large fractions of the internet [..] will not do any better with our attack."

The team has also released a tool, ddptr, which stands for "DNS Delegation Path Traceroute," which can be used to trace the DNS delegation path for a fully qualified domain name and then run UDP traceroutes to all DNS servers on the path, used throughout the research.

The attack's research paper (.PDF) is currently under review.

Due to the barrier Tor erects for law enforcement in the pursuit of criminals, it is likely there will always be attempts to crack the network and expose users. Tor, used in the majority of cases for legitimate purposes, also poses a challenge for researchers due to relay and node setup used to disguise online tracks.

Mindful of this, the non-profit is already investigating ways to make attacks, such as fingerprinting, more difficult to achieve.