How does Tor route DNS requests?

  • Tor can only handle TCP connections, but DNS is a UDP protocol. How does Tor route DNS requests over its TCP based network? Why can the same approach not be used to route all UDP traffic over Tor?

    DNSCRYPT, Introducing DNSCrypt, Background: The need for a better DNS security. Granted, without a proxy - this can affirm a client, without repudiation - as all encrypted connections can. A binding court order can compel OpenDNS to monitor particular IP addresses and have to reveal DNS request history. So, there is still a legal engineering hack vulnerability.

  • Tor clients do not, in general, directly do DNS requests. When you open a connection through the tor network you usually ask your client (on its socks ports) to connect you to a hostname and port, say www.example.com:80.

    Your tor client, once it has created a circuit, will send that hostname and port to the exit node in its RELAY_BEGIN cell.

    The exit node will then do a DNS resolve and open a TCP connection to the target. Once that's established it will tell your client that the connection is open, and for informational purposes will also tell your client what address that hostname resolved to.

    Tor, in addition to that, has some sort of "remote DNS resolve" protocol built in. This support allows clients to query for certain resource types, like IPv4 or IPv6 addresses. Here too, the exit node does the actual DNS packet sending and receiving and just relays the answer to the client.

    No UDP packets are actually ever routed from the client.

    There's also a proposal to add more full featured DNS support to Tor. So far it hasn't been implemented.


    Tor Protocol Specification references

    Right. The short version of the answer is "Tor transports the hostname (inside the Tor protocol) to the exit relay, which resolves it for you."

    Could you confirm that the exit node sends the address back to the client? I'm familiar with SOCKS and that doesn't happen at that level so just curious why it would on TOR's level.

    Socks only happens between your application and the Tor instance running on your computer -- the so-called onion proxy, OP for short. The OP and the exit node communicate using the Tor protocol and section 6.2 from the document I linked specifies that the RELAY_CONNECTED cell contain the IPv4 or IPv6 address of the hostname. That means the address makes it to the OP which can use it, for instance, to pick a better exit node next time. The information would not usually make it to the application that initiated the socks connection however.

    Is this how tor-resolve works also?

    Yes, tor-resolve uses the remote hostname lookup feature mentioned in section 6.4 of tor-spec.

    It seems risky for exit nodes to send resolved IP addresses back to OPs. Why is it not?

    @weasel-PeterPalfrader, So do you mean that in short, when we use Tor to visit a website, the isp is unable to tell **both** the hostname and the actual host IP?

    @weasel-PeterPalfrader, To confirm, can we say that **Thus It's Safe** since every request is 3rd partied?

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used