New from Verisign Labs: Measuring the Leakage of Onion at the Root

If you are trying to communicate anonymously on the internet using Tor, this paper may be an important read for you. Anonymity and privacy are at the core of what the Tor project promises its users. Short for The Onion Router, Tor provides individuals with a mechanism to communicate anonymously on the internet. As part of its offerings, Tor provides hidden services, specifically anonymous networking between servers that are configured to receive inbound connections only through Tor. In order to route requests to these hidden services, a namespace is used to identify the resolution requests to such services. Tor uses the .onion namespace under a non-delegated (pseudo) top-level-domain. Although the Tor system was designed to prevent .onion requests from leaking into the global DNS resolution process, numerous requests are still observed in the global DNS, causing concern about the severity of the leakage and the exposure of sensitive private data.

Verisign Labs research scientists, Aziz Mohaisen and Matt Thomas, analyzed the state of .onion requests received at the global public DNS A and J root nodes, as well as a complementary measurement from the DITL (day in the life of the internet) data repository. From the data leaked into the global DNS root servers, they correlated increased use of Tor during periods of internet censorship, political reform, and economic uncertainty. They hypothesized that this leakage could be the result of users incorrectly configuring Tor’s hidden services. In addition, advanced families of malware are using Tor and its hidden services to avoid detection. Possible misconfigurations within these malware pieces could also explain the leaked DNS requests. While the researchers have not identified the root cause of these leaked Tor queries, they plan to continue their research and open further discussion within the broader community.

This research was published at the 7th Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs 2014).