[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How does DNS work with .onion addresses?

On 26 Jun 2014, at 19:38, Bobby Brewster <bobbybrewster203@xxxxxxxxx> wrote:
> I know that when the TBB connects to a 'normal' .com or .org or whatever address then the DNS resolution is done by the exit node.  There is no need anymore (not for several years now) for the client to set-up DNS manually (as used to be the case with Polipo or Privoxy).
> However, how does DNS work for .onion?  I assume that each exit node understands how to route traffic for all .onion addresses? How does it know how to direct the client request?

For .onion addresses, DNS is not used. Your Tor client receives a SOCKS connect request for a .onion address and recognises it as a hidden service request. Your Tor client then performs the hidden-service rendezvous procedure, including looking up the current introduction point in the hidden service distributed hash table (as your traffic never leaves the Tor network, there's no exit node involved).

> Is it possible for DNS to leak with .onion?

Yes. If your browser is misconfigured then the DNS request will go out to your OS's configured DNS server, then likely out to your ISP, then likely out to one of the root name servers. Assuming nobody is being malicious, you'll get an error message that the domain name doesn't exist but someone eavesdropping you will know that you wanted to go to that hidden service. If someone is being malicious they could return the wrong IP address and your browser will connect to it.

There are people who survey DNS, and they report that there are quite a lot of requests for .onion. Some of these are people clicking on .onion links without Tor, but some could be the result of DNS leaks.

Best wishes,
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to