Added Protection For Tor’s .onion Addresses


The .onion domain used for sites accessed via Tor has been officially recognized as a top level domain. Rather counter-intuitively, the move is designed to give .onion sites special treatment for added protection.

Until now, the presence of .onion in a website address wasn’t officially recognized as a traditional domain and instead was designed solely for Tor-enabled browsers to find the relevant server on the Tor network. That involves a lengthy series of relays designed to obscure the link between the visitor and the site, thus making anonymity much more likely.

The main drawback was that this only worked as designed as long as browsers or other apps knew how to process a .onion address. If they didn’t, or there was a mistake in the set-up, there was a risk that the software would contact a public DNS server to try to translate the site address into an IP address

A third party could thus fairly easily figure out when a specific person was trying to access a Tor-based site. While this wouldn’t necessarily reveal the details of any communication, it could be enough to draw attention to the user’s desire to access “secret” sites and undermine the whole point of Tor.

IANA, the international group that takes care of the technical side of Internet technologies such as DNS, has now agreed to treat .onion as a “special case” domain name. That means that all software and organizations following internet protocols must treat it differently compared to normal domains, with safeguards throughout the process including the following:

  • Applications which can use Tor must do so when processing a domain name.
  • Applications which can’t use Tor must return an error message for .onion rather than run a DNS lookup.
  • DNS servers must be configured so that they ┬áprocess .onion addresses through the Tor protocol if technically possible and otherwise return the NXDOMAIN error message.
  • DNS registries are not allowed to register names ending in .onion.

Meanwhile the Internet Engineering Task Force has approved a range of changes to technical standards that will further prevent software from mistakenly “going public” with .onion lookups.