I am surprised to find that there is no form of DNSSEC associated with TOR. I am running dnscrypt, but find that I fail the DNSSEC test at http://dnssec.vs.uni-due.de/ when using the TBB. I have unbound chained to dnscrypt which is on a rotary to 5 trusted DNS resolvers.
How can you not understand what this means WRT DNS cache poisoning? Why are we susceptible to DNS cache poisoning? I suppose that the TOR system needs to resolve .onion addresses, but there should be some way of using dnssec locally if the TOR system cannot provide authenticated DNS.
No one in the #tor irc channel seems to know how TOR DNS is done, and unfortunately there's not a word about it at https://trac.torproject.org/projects/tor/wiki/doc/DnsResolver . But I suspect it must be TCP DNS as TOR can't do UDP. And I suspect DNS must be done by relay servers, in order to resolve intermediate .onion addresses. Beyond that, it's a mystery how it's done.
How to secure TOR DNS?