[metrics-team] Exit relays' DNS resolvers over time

Philipp Winter phw at nymity.ch
Tue Feb 23 16:46:56 UTC 2016

I've been using exitmap to enumerate what DNS resolvers are used by exit
relays over time.  The idea is simple: I resolve an exit relay-specific
domain under my control over all exit relays, and then look out for
incoming DNS requests from my authoritative DNS server.  That allows me
to map an exit relay to the IP address of a DNS resolver.  Here is a
diagram that visualises preliminary results that cover several months:

The diagram shows a time series, one data point a day, of the top four
DNS resolvers of the Tor network.  The numbers are weighted by exit

Google is the most popular DNS resolver.  Today, Google gets to see
around 25% of all DNS requests exiting the Tor network.  That is
concerning; in particular because they also get to see ingress traffic
of meek users that use App Engine.  After Google, local resolvers are
the most popular.  I classify a resolver as "local" if the DNS
resolver's IP address is identical to the exit relay's IP address.
Finally, we have OVH and OpenDNS.  OVH isn't particularly surprising
given that they are the most popular exit AS, currently controlling 11%
of exit capacity.  Aside from these top four resolvers, the distribution
has a long tail, presumably because many exit relays use their ISP's

Finally, beware of easy conclusions.  First, this analysis doesn't tell
us anything about caching.  Exit relays cache DNS records, which limits
exposure to the DNS resolver.  Also, some exit relays are multi-homed,
which isn't reflected in these numbers.  Perhaps counterintuitively, it
is not clear that local resolvers are *always* the best choice.
Recursive resolvers traverse many autonomous systems when resolving a
domain name, which exposes Tor users' DNS requests, and their
corresponding responses, to network-level adversaries.  We talk a little
bit about these issues here:


More information about the metrics-team mailing list