Strange and unexplainable DNS requests from Tor browser at launch

Just the other day, out of curiosity, I checked the “about:networking” panel of TB just after initialisation (I wanted to see if anything was open at this early stage, when no connection had been initiated yet)
To my surprise, there were DNS requests open for 12 websites I absolutely hate to see.
So I double-checked using WireShark, and effectively it seems like the Tor browser at launch - while no connection was requested yet (blank new Tab) - is sending DNS request of its own will for a bunch of the worst BigTech domains…
Of course, those are only DNS requests, and they get a response from the DNS server (in this case my VPN’s DNS) but the IPs to those sites are not actually being accessed. Seems to be some kind of startup “cashing for future use” behavior.
Below is a screenshot showing the incriminating DNS requests:

Is there an explanation for this? Has the Tor Project gone mad? Even this last outpost of freedom is now enfeoffed to Internet Lords?
I know I shouldn’t ask about this here on this forum, but rather ask them directly. But I know some people here are implicated in TorProject and on their active list.
So @FranklyFlawless you have an explanation for this strange behavior of the browser at launch?

2 Likes

No I do not. My experience volunteering with the Tor Project is with relay operations, pluggable transports, and technical support:

Unlisted thread:

I also used to participate in the tor-relays mailing list.

1 Like

TorBrowser is based on Firefox. So the first question I would be asking is: how much of this is innate behaviour of Firefox?

So I would wonder … what version of TorBrowser? based on what version of Firefox? (Hamburger / Help / About Tor Browser) and how many of those domains would be looked up if you just ran that same version of Firefox?

In the specific case of forcesafesearch.google.com this may be Firefox’s built-in Phishing and Malware Protection, for which the only two providers, as standard, are Google and Mozilla. You can disable this from Settings

Security

Deceptive Content and Dangerous Software Protection

☐ Block dangerous and deceptive content

In this context “dangerous” means “malware” or “attack” web sites, while “deceptive” means “phishing” or “web forgery” web sites. (It may be that in a much earlier version of Firefox you could control these two things separately but it seems as if the UI now only exposes one setting that turns on and off both config settings.)

You can decide for yourself whether you would be net safer from doing this. Put another way, just because you are using Tor doesn’t mean that you don’t want “safe browsing”. For some threat models it would be even more important to enable “safe browsing” when using Tor.

I would imagine that this functionality works by periodically downloading (updates to) a list of all known bad web sites from a Safe Browsing Provider and then within the browser each URL is checked against the list - hence Google does not see every web site that you visit.

Anyway, check / change that setting and see whether it makes a difference.

2 Likes

Note that adjusting Tor Browser’s configuration may alter your fingerprint and increase the risk of deanonymization, so I highly suggest caution before considering it. If you want a detailed explanation of the consequences of doing so, refer to @thorin over at the Tor Project Forum.

2 Likes

Where can I check how the tech stack for this works? So, basically, do I understand the sequence of actions would be:

  • Dlonk decides to look up something bad, such as maybe looking to see if any pornographic AI generated images of Dlonk are on the shadier places of the internet
  • Dlonk opens Tor Browser to have a way to look this up anonymously
  • Tor Browser checks with Lord Google if it’s safe and OK for Dlonk to search for “Ai generated pornography of Dlonk”
  • Lord Google, after receiving IP address and other metadata on the query, replies that it’s safe and OK to look this up
  • Tor Browser uses some onion goober technology to look up the page contents of the web search, and displays them

This sounds dumb, but what do I know? Last time I used Tor Browser, if I recall, was in high school. An angsty teenage guy my age passed it to me on a flash drive; this was required for CAD class to download the 3D files needed for the school project, because the school had blocked standard networking technology from downloading the 3D files, and blocked proxies and VPNs.

1 Like

You can learn more about Mozilla’s Phishing and Malware Protection for Firefox using this resource:

By default, Tor Browser uses DuckDuckGo as its search engine for answering queries, not Google. You can verify this by downloading and installing Tor Browser yourself:

Related:

(This only applies to visiting an actual web site, not when doing a search.)

This is exactly the opposite of what I said happens, however I did write that I am only surmising.

Lord Google sees a (periodic) request to download a list of bad sites. I guess if you are using TOR, that request may in fact not come from any meaningful IP address but I didn’t check to see whether that download bypasses TOR. It must come with some metadata but how significant that metadata would be, I don’t know.

At the time of visiting an actual web site, your web browser will make a check of the domain of the URL against the list of bad sites.

However I did see some discussion on the web suggesting that in some cases, if the site is rejected because it’s on the list of bad sites then the web browser will make a confirming check to make sure that revocation has not happened in the meantime (which sounds to me like functionality that I wouldn’t like!).

1 Like

Tor Browser 13.5.1 (latest), based on Firefox 115.13.0esr

Actually, I was thinking about something like this…but would TorProject really leave this crap from Firefox ESR and not remove it downstream - I mean it TAINTS the browser!
Which raises another question: could it be that they are simply not aware of this behavior, so didn’t care to remove these DSN requests? I hardly believe this.

I’ve always had this setting disabled, after it was discovered that nosy Google was using this for spying and scraping more data from FF users (usually considered more “privacy-conscious”) This was a big scandal, I remember. Then Mozilla had to change this and implement their own block lists for malware accessing their own servers instead of Google’s. But even with this issue resolved, I don’t rely on Moz or Google for this, but on specific lists on UBo for this same purpose. So I don’t think it to be the problem, since the browser needs not accessing those lists or make any DNS requests for this purpose in the background.

1 Like

I have also considered this could be caused not by the browser itself, but by an extension or a plug-in. So I checked launching TB with all extensions disabled, no plug-in, no search engine. But the browser stubbornly behaves the same way and does the 12 DNS requests first thing after launch nonetheless.
This is really puzzling and I can’t find an explanation for this strange behaviour.

1 Like

Before creating a topic on the Tor Project Forum, try using Mullvad Browser and see if it reproduces the same behavior, as both Mullvad VPN and the Tor Project collaborated on it:

1 Like

For what it’s worth, I don’t see that behaviour - but I am running a somewhat out of date version of TorBrowser (it is grinding through downloading the update now).

I see 2 HTTP requests (content-signature-2.cdn.mozilla.net and aus1.torproject.org), neither of which is particularly concerning and I see none of the DNS requests that you mention (either listed by the browser or in my DNS server logs).

After connecting to TOR I see a couple more HTTP requests (firefox.settings.services.mozilla.com and firefox-settings-attachments.cdn.mozilla.net), again nothing offensive.

1 Like

OK, update completed but I am still well short of the version that you have. (I will need to look into that anyway.)

DNS now shows under DoH URL https://mozilla.cloudflare-dns.com/dns-query so it looks like the update caused Firefox to grow DoH functionality - and using Cloudflare for this may or may not be acceptable to the user.

In any case, still only seeing relatively benign hostnames referenced i.e. nothing googly.

After connecting I see some requests to securedrop.org which may or may not be bad.

1 Like

SecureDrop is software used for submitting documents, usually in the form of leaks, to news organizations:

Depending on how you installed Tor Browser, it may have a home page about your new installation, along with Tor-related resources for you to consider using.

1 Like

OK, so I moved my Tor Browser to one side and just downloaded it again from scratch. I now have 13.5.1 based on Firefox 115.13.0 i.e. same as you (and presumably I have a 100% vanilla Tor Browser configuration e.g. I have changed no settings).

On startup, aus1.torproject.org and versioncheck-bg.addons.mozilla.org

After Connect, securedrop.org, bridges.torproject.org, r3.o.lencr.org

1 Like

Seems very tame to me:

1 Like

Yes, get them to go back to torn tape relay!

1 Like

I am totally inexperienced on the subject (although I would like to educate myself about it) so I prefer to use gnome web browser which, although crashing all the time, is the only browser, to my knowledge, oriented to privacy and security!

1 Like

Here is a resource to start learning about DNS:

What is DNS? | How DNS works | Cloudflare

See also:

https://forums.puri.sm/t/time-to-ditch-mozilla/21102/90?u=franklyflawless

1 Like