Sally Kang

why join the navy.

Tor Network: Malicious Exit Relay and DNS Resolution

05 Nov 2019

[ Tor  Network  ]


In the past few weeks, I have been working on a subject project. In this project, we attempt to monitor and analysis Tor exit relays by detecting the malicious exit relays and looking into the DNS resolution. Based on an existing Tor scanner, we customize and develop our own modules to implement probing all exit relays of the whole Tor network. To be honest, I didn’t expect much that we would find some valuable results in the first place considering the time limit, however, we did eventually get some interesting conclusions!


Why We Do It? Why Exit Relays?

To start with, Tor is a popular low-latency anonymous communication network for enhancing privacy. It implements this by using a nested so-called “onion” encryption to encrypts traffic data and hide the source IP/ destination IP as well as randomly building the three-hop circuits.

As shown in the figure above. by design, exit relays almost control the whole Tor network traffic on top of TCP connections, in which situation exit relays are easily targeted to snoop and tamper with sensitive network traffic.

On top of that, DNS requests and responses are also heavily reliant on exit relays for resolution and validation, which raises potential concerns regarding centralization and misconfiguration.


How We Do It?

So, we define a malicious exit relay is to:

In this case, we want to expose malicious exit relays engaging in man-in-the-middle attacks including SSL/TLS-based attacks, DNS poisoning and traffic sniffing.

We are also interested in the effect of DNS on exit relay:

we try to provide some insights on the effect of DNS on Tor’s anonymity and security by identifying the DNS resolvers and investigating DNSSEC deployment of Tor exit relays.


More Specific ……


Overview Design

Well, the most important part is exitmap

Generally, the design of exitmap:


Set up



Probing Modules


What We Have Got!!

Malicious Relays

Here we tabled malicious exit relays we found. The columns are, from left to right:

Fingerprint IP addresses Location Attack Discovery
879E4D04 Hong Kong HTTPS MitM 2019-10-28
D6D6B661 Germany DNS Poisoning 2019-11-02
30966599 Russia Censorship 2019-10-30


Here we exposed a possible HTTPS MitM for the domain We detected a HTTPS MitM 7 times coming from the same exit node which returned three different fingerprints of X.509 certificate in total. However, due to human error, our code only recorded the unexpected fingerprint, not the full malicious X.509 certificate.

We also found a possible DNS Poisoning from a German exit relay, as shown in the table.

The final malicious exit relay we detected censors certain websites. When visiting the website, instead of upgrading to, the exit relay redirected the user to a Russian website over cleartext HTTP. However, it turns out the destination website, in this case,, is blocked in Russia so it just returns HTTP URL with a web page to inform users that this website is blocked due to government policies.


DNS Resolver Configuration

Given the importance of DNS queries heavily relying on exit relays, we aim to investigate how the DNS resolvers of Tor exit relays are currently implemented in terms of companies and countries.

We can see that:

Also, Most DNS Resolvers located in either Western Europe or North America

This might because many websites outsource their DNS setup to providers such as Cloudflare whose points of presence are centred around Western Europe and North America.


Fun Facts

The basic design of this project mainly follows the previous work by Philipp Winter and Stefan Lindskog (2014)[1] as well as Benjamin Greschbach (2017)[2], thus one of our motivations is to give a comparative analysis with the results of previous work and lead to an up-to-date conclusion on Tor network. Here re some fun facet we found compared wth original paper:



[1] P. Winter, R. Köwer, M. Mulazzani, M. Huber, S. Schrittwieser, S. Lindskog, and E. Weippl, “Spoiled onions: Exposing malicious Tor exit relays,” in PETS. Springer, 2014. URL :

[2] Greschbach, B., Pulls, T., Roberts, L., Winter, P., & Feamster, N. (2019). The Effect of DNS on Tor’s Anonymity. Retrieved 3 November 2019, from

[3] Guarding your Tor Exit’s DNS. (2019). Retrieved 3 November 2019, from

[4] NullHypothesis/exitmap.(2019). Retrieved

comments powered by Disqus