dns monitoring

How DNS Monitoring Can Expose Tor Users

It’s easy to be anonymous online. But thanks to a team of researchers, anonymity might be a thing of the past for Tor users.

A team of researchers recently discovered a new method that exposes anonymous Tor users.

Tor browsers are the gateway to the deep web. They allow people to browse, communicate and shop anonymously.

Tor, also known as the onion router, has over two million users per day. It’s the largest anonymity network operating today.

It’s a network that helps mask IP addresses and is used by people looking to stay off the grid. Many Tor users are journalists and activists, but there are some users that use it for web based illegal activity.

Here’s how DNS monitoring is unmasking Tor users. Read on to learn more about what this means for the digital age.

How Tor Works

Tor might sound confusing, but it’s actually fairly simple.

Tor works by routing traffic through random circuits. The circuits consist of three nodes chosen from roughly 7,000 computers around the world.

The first node consists of entry guards. These are pools of computers with a history of being available and reliable.

These guards have an idea as to where the traffic originates from. But Tor’s encryption protects user information and keeps it anonymous.

The middle node keeps the first and last node separate. That’s to protect from collusion between the computers to further keep information separate.

The last node, or exit node, tracks traffic leaving the Tor network. But it still doesn’t know user information or where traffic originates.

In essence, this system is all about anonymity and goes to great measures to ensure it for its users.

Why Use Tor

Many people value their privacy. That’s especially true of Tor users.

Tor separates a user’s IP address from their activity. Therefore, using Tor allows a user to hide their web browsing from everyone — from the government to internet service providers.

Tor users are basically using a super effective private browsing mode.

Correlation Attacks

There are always going to be some rotten eggs. Especially on the internet.

Some Tor users have been known to participate in what’s referred to as correlation attacks.

These attacks observe traffic entering and leaving Tor. The attacker then tries to pair up inbound and outbound streams in an effort to divide traffic nodes.

Correlation attacks basically link an IP address with activity to break the anonymity of Tor users.

Correlation attacks are an Achilles heel for an otherwise successful platform for anonymity.  As a result, correlation attacks have been a catalyst for Tor research.

Researchers previously used DNS monitoring in an effort to curtail correlation attacks.

Previous efforts were not particularly useful due to several factors. The research proved ineffective in that it underestimated correlation attacks.

Internet service providers were able to monitor DNS traffic but couldn’t successfully monitor web inbound and outbound traffic to the Tor network.

Researchers also discovered other concerning information about DNS servers.

One revelation was that Google’s DNS servers made up roughly 40 percent of Tor’s exit bandwidth.

The researchers urged Tor to create more diversity within their network. This would help prevent correlation attacks and a situation where one company gets a large slice of the pie.

What is DNS?

DNS is even simpler to understand than Tor. DNS stands for domain name systems.

DNS filters domains into IP addresses. This allows online users to surf the web via a readable name rather than a number.

This process helps to identify users all across the web. It’s one of the core elements of user identification online.

DNS Monitoring

Most internet users can rest easy by following a few simple anti-hacking measures.

Tor users felt confident their identity was anonymous. That is until new research shined a light on DNS monitoring.

A group of researchers from Princeton University, Karlstad University, and the KTH Royal Institute of Technology broke new ground when they discovered a way to use DNS monitoring to expose Tor users.

DNS traffic monitoring can be used to unveil Tor users by strengthening familiar attacks that effectively trace users.

Research Results

Essentially, the researchers used DNS lookups from browsing to create a new version of correlation attacks. The researchers discovered that DNS monitoring can actually help attackers enhance their fingerprinting attacks.

The researchers also showed that adversaries can combine DNS requests with fingerprinting attacks to create a DNS-enhanced correlation attack.

The mapping of DNS traffic to websites is extremely accurate. Website fingerprinting attacks can make monitoring even unpopular websites extremely precise.

The researchers became aware of several groups that could utilize the DNS monitoring to use this enhanced correlation attack.

One specific company that was mentioned is Google. Google’s 40 percent makeup of Tor’s platform means they can already observe DNS requests.

Their popularity gives them the ability to monitor traffic entering Tor’s network. Their large data set could give them a wide view of Tor identities and network traffic should they ever utilize a correlated attack.

What It Means

It might sound like Tor is no longer useful for anonymity. That’s not the case. Especially for the casual Tor user.

The researchers concluded that adversaries already have the ability to monitor large groups of internet users. They do not believe that their new attack will create more effective attacks.

Moreover, attacks are usually on specific targets rather than a random internet user. The average Tor user is rarely targeted.

Those who are targeted are usually under scrutiny for suspicious online behavior. They might be breaking the law or raising red flags in regards to national security.

People still considered can look forward to new advances coming to the Tor Project. The team is actively working on making fingerprinting attacks more difficult to execute.

In summary, DNS monitoring isn’t going to ruin the anonymity of Tor’s millions of users. But it might hurt a few rotten eggs.

Do you want to learn more about how DNS monitoring affects Tor? We’re happy to help. Contact us today for all your web needs.