Researchers Reveal DNS Resolvers Can Deanonymize Tor Users

Over the past few months, there has been a lot of focus on the Tor project. Government officials are not keen on this anonymization software by any means. Researchers the KTH Royal Institute of Technology have come up with a way to anonymize Tor users. All it takes is monitoring the DNS resolvers used by individual Tor users.

DefecTor, as this attack is called, uses the DNS lookups accompanying regular Tor network traffic. Since users rely on this DNS service for browsing, email, and other forms of communication, it is a potent attack vector waiting to be exploited. KTH Royal Institute of Technology in Stockholm researchers use this security flaw to anonymize Tor users.

Tor Anonymity is Never Guaranteed

The way Tor works is as follows” traffic is routed through groups of computers, allowing users to hide their real location and identity. With over 2,500 “entry guards” to choose from, the first computer in this Tor connectivity pool is randomly selected. However, it is possible to monitor network traffic going in and out of the Tor network, and pair that information with incoming and outgoing streams.

Despite the Tor developers ensuring all traffic is encrypted, that solution is not sufficient to prevent prying eyes. While hackers would need to settle for seeing “low-level details” regarding Tor traffic, they do not need to watch the whole network at all times. Deanonymizing users is not overly complicated, although it requires a lot of time and access to ways to observe incoming and outgoing Tor traffic.

An interesting observation was posted as part of this research:

“The median time until compromise differs by more than 10 days between UK, and RU or FR. In general, UK and US users are doing better than users in RU, FR, and DE for these two setups. We conclude that the location of Tor clients matters and should be considered in future traffic correlation studies.”

Using a DNS lookup will tell a lot about Tor users, according to the researchers. By taking fingerprints of known websites in the encrypted traffic logs and matching those with DNS requests of Tor exit nodes, correlations have been established. There is a lot more to this practice than just that, though, but it forms the basis of the DefecTor attack.

No Reason To Panic Just Yet

Although this attack sounds worrisome, it is no cause for panic just yet. The Tor project developers can address this “vulnerability” by changing the DNS entry caching requirements. From a long-term perspective, the developers will need to implement a different DNS lookup system, though. Encrypting traffic between DNS resolvers and exit nodes is one way to address this problem.

Users running a Tor exit node should steer away from using public DNS resolvers, though. Google and OpenDNS are very common solutions, but they pose a security risk. Running one’s own DNS resolver would be the best solution, although it may not be possible for everyone to do so.

Header image courtesy of Shutterstock