<div dir="ltr"><div dir="ltr"><div dir="ltr"><div>Currently tor traffic uses an TLS handshake hostname like the following:</div><div><br></div><div><pre>$ sudo tcpdump -An <span class="gmail-pl-s"><span class="gmail-pl-pds">"</span>tcp<span class="gmail-pl-pds">"</span></span> <span class="gmail-pl-k">|</span> grep <span class="gmail-pl-s"><span class="gmail-pl-pds">"</span>www<span class="gmail-pl-pds">"</span></span>
listening on pktap, link-type PKTAP (Apple DLT_PKTAP), capture size 262144 bytes
.............<span class="gmail-pl-s"><span class="gmail-pl-pds">"</span>. ...www.odezz26nvv7jeqz1xghzs.com.........</span>
<span class="gmail-pl-s">.............#.!...www.bxbko3qi7vacgwyk4ggulh.com.........</span>
<span class="gmail-pl-s">.6....m.....>...:.........|../*     Z....W....X=..6...C../....................................0...0..0.......'....F./0..        *.H........0%1#0!..U....www.b6zazzahl3h3faf4x2.com0...160402000000Z..170317000000Z0'1%0#..U....www.tm3ddrghe22wgqna5u8g.net0..0..<br><br></span></pre>A network observer could run a DNS lookup on the hostnames and see if they are real or not. So my idea would be to register a set of random hostnames which are legitimate and point the IPs somewhere to avoid looking for an NX Domain response and dropping the stream. You could even give each relay a unique subdomain and rotate these every few weeks. This may be expensive to implement but could make blocking Tor traffic with this method harder. Thoughts?<br><br>Cordially,<br>Nathaniel Suchy<br><pre><span class="gmail-pl-s"></span></pre></div></div></div></div>