We show how an attacker can use DNS requests to mount highly precise website fingerprinting attacks: Mapping DNS traffic to websites is highly accurate even with simple techniques, and correlating the observed websites with a website fingerprinting attack greatly improves the precision when monitoring relatively unpopular websites. Our results show that DNS requests from Tor exit relays traverse numerous autonomous systems that subsequent web traffic does not traverse. We also find that a set of exit relays, at times comprising 40% of Tor’s exit bandwidth, uses Google’s public DNS servers—an alarmingly high number for a single organization. We believe that Tor relay operators should take steps to ensure that the network maintains more diversity into how exit relays resolve DNS domains.
What does our work mean for Tor users? As we outline in our blog post, we don’t believe that there is any immediate cause for concern. While our attacks work well in simulations, not many entities are in a position to mount them. Besides, they require non-trivial engineering effort to be reliable, and The Tor Project is already working on improved website fingerprinting defenses.