Deanonymizing Tor Users With DNS Exploit

Updated on:
Censorship in Internet
Tor Browser Integrates Tool to Fend Off Deanonymization Exploits.

One of the famous anonymity network Tor is used widely to work anonymously.

Tor or The Onion Router is a modern web browser which is operated by the non-profit, Tor Project.

Almost 2 million users utilize this service regularly because it enables them to use the internet without revealing their identities.

The majority people who use the Tor are the journalists, whistleblowers, activists and privacy-conscious individuals across the globe.

However, it is also used for port scans, hacking attempts, unauthorized release of stolen data and other internet crimes.

Researchers Benjamin Greschbach, KTH Royal Institute of Technology; Tobias Pulls, Karlstad University; Nick Feamster, Laura M. Roberts, and Philipp Winter, Princeton University in the USA, found that Domain Name System (DNS) can be monitored to identify Tor users.

Your TOR usage is being watched

They found that tracing can be done with a high degree of accuracy.

Tor working method:

network structure
Tor is used to browse anonymously, but researchers discovered how to deanonymize Tor users by exploiting the DNS.

Tor works by routing traffic through randomly selected “circuit” of three nodes from 7000 computers specially offered for this purpose around the world.

When a user starts using Tor, it passes through the first node in the circuit from a pool of 2500 out of 7000 computers, which termed as “entry guard” which has high uptime and availability.

Although at some point, it has a track of the source of traffic but not what is in it.

Final nodes of circuits termed as exit nodes where your data or traffic is going to be delivered.

The intermediate router in the circuit acts as Tor nodes to maintain a balance of input and output node to transfer the data.

As the traffic passes from client to exit node in an encrypted state, attackers cannot read it.

Only packet lengths, directions, size, time helps to reveal a user; this visiting technique called as fingerprinting.

How to Deanonymize Tor users? What researchers have found?

The Domain Name System (DNS) joins domains into machine-readable IP addresses, allowing users to use website through human-readable names.

It is the fundamental aspect, or it is a block of the network which enables to track Tor users.

As told by the research team, Tor user can be followed by combing the monitoring of DNS request along with fingerprinting techniques.

A new method is established which is termed as Domain Name System enhanced website fingerprinting attack.

In their research, they learned that almost 40% of Tor exit traffic comes from Google’s public DNS servers alerting high amount from one single organisation. Fingerprinting is a way to break the anonymity of Tor.

This network can be used to find the hidden services and to deanonymizing correct IP address along with the physical locations of Tor servers in some occasions.

Public DNS resolvers like Google are in a position to implement such attacks. With monitoring the DNS traffic, combing with fingerprinting techniques, the source can be found.

This method works especially on sites which are not visited frequently, so their DNS traffic records can be found easily.

The research team revealed that Tor is a decentralized system, but it does not support the extensive ecosystem that Tor exists in.

The research team released a tool to trace the DNS path for a fully qualified domain name and run UDP trace routes on all DNS servers.

The path called “ddptr” which is used by the team.

Be cautious when using Tor Network and browser

If you are not using encryption levels (HTTPS/SSH/TLS), then Tor traffic can be monitored, like for an example, using a forum, sites which do not use HTTPS, ideally your login page, password, session cookie and posts will be captured.

Email sent using SMTP (no TLS) can be captured as well. Exit Nodes can be Geo-located on Google maps using Free Geo-IP, API, Maxmind Geocities lite.

Now, the research team is on the move to develop and improve exit nodes to enhance DNS setup.

By doing this, we can avoid circumstances where Google gets to see a significant amount of DNS requests exiting in the network.


Although Tor lead developer, Mike Perry wants to defend the website traffic fingerprinting and its attacks to protect the exit packets, we still need to understand the technology of Tor and its limitation. One must avoid situations where it is not recommendable.

Write for us


The articles and content found on Dark Web News are for general information purposes only and are not intended to solicit illegal activity or constitute legal advice. Using drugs is harmful to your health and can cause serious problems including death and imprisonment, and any treatment should not be undertaken without medical supervision.