“Who controls Tor’s DNS traffic?” revisited
Over a year ago, in April 2018, we looked into Tor’s DNS landscape and confirmed previous observations from 2016 that a significant fraction of tor exit relays make use of public DNS resolvers like Google’s 220.127.116.11.
Now 15 months later, its time to revisit this issue again to find out in what way the DNS landscape on the tor network changed. Did the DNS centralization on the tor network around Google and Cloudflare resolvers increase or decrease?
Data Collection Methodology
The methodology remained largely the same, we built a circuit to every tor exit relay to resolve a hostname while watching the source IP the DNS query comes from at the authoritative name server to determine the used resolver. This time we collected the primary DNS resolver only. So instead of having multiple data points for each exit relay we collected a single resolver source IP address only. That simplified data collection and processing. Our data collection methodology also supports IPv6 now.
We collected DNS resolver source IP addresses for 99% of the tor network’s exit capacity (we improved the measurement coverage from last year’s 89%).
Goals from 2018
Last year we set ourselves two goals:
- reduce the overall share of tor exit capacity using remote resolvers (outside their own autonomous system) to bellow 20% exit capacity
- not having any single “remoteAS” entity control more than 10% of tor’s exit capacity DNS traffic
Did we meet these goals? No.
In April 2018 there was a single entity controlling more than 10% of tor’s DNS traffic (Google), now (July 2019) there are two big companies each controlling more than 10% of tor’s DNS traffic (Google and Cloudflare).
Things got worse over the course of the last 15 months in terms of DNS centralization if we look at the fraction that goes to Google and Cloudflare. Google’s fraction decreased but their combined fraction increased from 23.97% (April 2018) to 30.74% (July 2019) of the tor network’s exit capacity.
The good news is: This change is not caused by many small exit operators enabling Cloudflare in their DNS configuration. Cloudflare’s fraction is almost exclusively related to a single tor exit operator, which is managing over 13% of the tor network’s exit capacity at the time of writing. So things could improve significantly if that operator changes its configuration.
Last year we included more public DNS resolvers, and if we take them into account things actually improved, their overall share decreased:
60.05% of the tor network’s exit capacity uses a resolver which is located in the same autonomous system as the exit relay itself (that includes localhost) — which is recommended to minimize the path between exit relay and its resolver. Lets aim to increase this fraction to above 80%.
If you are an exit operator and want to help reach this goal you can use this list to verify you are not using Google or Cloudflare resolvers. The Tor Relay Guide has instructions for setting up a local DNS resolver. Showing warnings in tor’s log and on Relay Search for affected exit relay operators is another option to raise awareness.
Lets see how things look like in a year from now.