[tor-dev] DNS resolution isolation in Tor Browser

Roger Dingledine arma at mit.edu
Thu Jun 14 22:49:16 UTC 2018

On Thu, Jun 14, 2018 at 04:22:00PM +0000, nusenu wrote:
> imagine you have two tabs in Tor Browser:
> 1: torproject.org (circuit A)
>   embeds some youtube.com content
> 2: google.com  (circuit B)
>   embeds some youtube.com content
> it will route the TCP connection via two distinct circuits (A and B) as described in the design document [1]


> Will DNS resolution be isolated using the same logic?


> torproject.org and youtube.com will be resolved via circuit A
> and
> google.com and youtube.com will be resolved via circuit B
> Is that correct?


(In the distant past, the Tor client would cache DNS answers on the
client side, so when a later circuit requests the same address, it can
just provide the IP address, saving the exit relay from having to do
an unnecessary resolve. But that's bad for isolation, and it's bad for
geodns designs (where the dns server gives you an answer tailored for
your current location, so re-using that answer from a different location
is not best), and also it doesn't actually save the exit relay that much
since it *can* cache its resolves.)


More information about the tor-dev mailing list