onion.nytimes.com CNAME nytimes3xbfgragh.onion
Edit to clarify - more a technical pondering than a solution to anything
I guess in theory a browser _could_ support something like that, but it'd be pretty unusual. I also think the idea of relying on DNS to resolve a hidden service would defeat a lot of the privacy and security guarantees associated with those services, so I don't think any browser serious about security would implement something like that.
Websites redirect all the time, there's 3 HTTP status codes for it.
If you visit https://onion.nytimes.com/ and it sends you a 301 redirect to https://nytimes3xbfgragh.onion/ then yes, I'm pretty sure that'd work fine. However, if you perform a DNS lookup on `onion.nytimes.com` and receive in response a CNAME record pointing to `nytimes3xbfgragh.onion`, I seriously doubt the browser is going to respond to that by establishing a new Tor circuit to the named hidden service. Rather, it's most likely just going to do what every other DNS client does when it receives a CNAME record; it'll try to look up `nytimes3xbfgragh.onion` in the DNS. (And fail, because `.onion` is not a valid TLD in the regular DNS system.)
