TOR DNS over AirVPN

[retiredpilot 6]

Staff or others,

 

I never considered this so I thought I would ask here among my security minded friends.  I connect via Air and have all the rules in place so the only DNS showing is leaseweb's (Air's) using Windows.  Never an exception while on my host OS and never a leak of any kind.  Now I mount a virtualbox VM running a linux 12.04 OS.  This VM is running TBB (TOR) and it works great.  I decided to check for dns leaks and almost a dozen names show up (VM only not in the host OS).  They match the TOR "circuit" I am currently using at that time.  So now I am trying to consider if this is a vulnerability I need to deal with.  I know the TOR circuit is encrypted between all the nodes but these dns names all showing up sort of concern me.  I am looking for recommendations, and questioning if fellow TOR over Air users are seeing the same thing?  Since the TOR circuit changes every 10 minutes or so I don't see how to write numbers based rules.  What to do, if anything is needed?

[amnesty 18]

I can get this when running Tor over VPN or running Tor.

 

This is from the Tor FAQ regarding DNS leaks running Tor:

 

https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#IkeepseeingthesewarningsaboutSOCKSandDNSandinformationleaks.ShouldIworry

[retiredpilot 6]

I have done a bunch of reading today.  This is a confusing subject.

 

I created my VM using linux because linux is inherently better at handling DNS than windows.  Then I add the latest TBB.  I only use TOR for reading and while most of the sites I visit are https, not all are.  My ISP dns never shows up whether running inside or outside of the VM (firewall rules on the host).  Note; even Air's dns provider doesn't show up using dnsleaktest while I am in the VM and the machine is still tunnel connected.  That makes sense to me if TBB is working correctly.  My machine is VPN wrapped to cloak TOR use from my ISP.  You would think that the TOR project has throughly considered the dns issue.  It would make absolutely no sense to encrypt the packages between the nodes and yet allow the various node dns servers to "know" what sites you visit even if they can't read the content.

 

Point blank question.  Am I misunderstanding TOR's protections?  Does TOR as generically configured encrypt up to the exit node and block/protect the dns stuff to the exit point, OR is the dns weak and in fact it does allow "bad/evil" nodes in the circuit to know where a user goes (I realize content is encrypted)?  I know about bad exit nodes and http.  That is NOT what I am questioning.  I am questioning the nodes earlier in the circuit.