Think about using DNS over HTTPS for Tor Browser 9
Right now we have DNS over HTTPS (DoH) not enabled in Tor Browser but we should think about whether we should do that. https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ has some good illustration about this feature
Some pros
- it cuts out some potential for messing with DNS queries
- it should help mitigating the DNS proxy leak threat inherent to using a SOCKS proxy
- it might help with the attacks mentioned in "The Effect of DNS on Tor's Anonymity" (https://nymity.ch/tor-dns/tor-dns.pdf) ...
Some cons
- it adds a central party seeing all Tor Browser users's DNS requests (even though a lot of DNS queries (about 40%) go to Google already according to the above mentioned paper that's not 100%)
- it might add latency
- First Party Isolation of the requests and the cache might need to get added ...