Add onion service to HTTPS records

HTTPS records offer a superior way to advertise HTTP Alternative Services. While they are still an Internet Draft, Cloudflare already offers support for hosted domains.

Cloudflare also offers onion services, which Tor-compatible clients like Tor Browser and Brave may use to access websites without touching an exit node. This is extremely helpful, but it could be improved upon.

If both HTTPS records and Opportunistic Onions are enabled for a hosted domain, Cloudflare should set the onion service as the highest-priority target for the domain.

www.cloudflare.com.	21	IN	HTTPS	1 cflareer7qekzp3zeyqvcfktxfrmncse4ilc7trbf6bp6yzdabxuload.onion alpn="h2"
www.cloudflare.com.	21	IN	HTTPS	2 . alpn="h3,h3-29,h2" ipv4hint=104.16.123.96,104.16.124.96 ipv6hint=2606:4700::6810:7b60,2606:4700::6810:7c60

Clients capable of accessing an onion service will use it, while other clients (most notably Safari, which I’ve tested this with extensively) will correctly disregard it in favor of the next target.

This also has the advantage of working with Tor-compatible clients that only support HTTP/1.1, if any actually exist.


Once HTTPS records are finalized and all browsers start using it by default, this will have the potential to considerably reduce the latency of initial connections to Cloudflare-hosted domains over Tor. It will also mean that the onion service no longer needs to be sent with an Alt-Svc header in every HTTP message.


I have opened an issue with The Tor Project about encouraging this approach as well.


By the way, including ipv4hint and ipv6hint is only useful for resolvers that aren’t compliant with the new standard, and explicitly NOT RECOMMENDED for . targets like the ones Cloudflare generates.

When TargetName is the origin hostname or the owner name (which can be written as “.”), server operators SHOULD NOT include these hints, because they are unlikely to convey any performance benefit.

IP hints should only be used on an as-needed basis, and only as a temporary measure to reduce resolution latency by a few milliseconds: once more resolvers become compliant and follow SVCB/HTTPS targets the way they follow CNAME aliases, hints will serve no purpose whatsoever.