Does using Tor Browser reveal DNS queries to my ISP?

1. Why people expect DNS privacy with Tor — the classic technical explanation that matters

Tor’s design routes application requests through the Tor circuit so that DNS name resolution for web requests is performed by the exit relay, not the client machine. The client sends the hostname inside Tor cells to the exit, which resolves it and opens the TCP connection, so the ISP does not directly receive ordinary DNS queries from your device ^{[1] [4]}. This architecture means that on a correctly configured Tor Browser, ordinary UDP DNS packets do not leave your computer to your ISP. The Tor specification and multiple technical explainers describe this model and it is the baseline reason users rely on Tor to prevent their ISP from learning visited domains ^[4].

2. Real-world exceptions and observable limitations — where DNS can leak or be observed

Empirical studies and bug reports show practical limits to the ideal model. Exit relays often use third-party resolvers (for example, Google Public DNS), which means those resolvers can see a substantial fraction of exit-node DNS requests and correlate patterns with exit traffic; researchers found about one-third visibility to a large resolver in a past study, creating a deanonymization vector when combined with traffic analysis ^[2]. Separately, specific vulnerabilities or misconfigurations in Tor Browser or its platform integrations have been tracked as issues that could cause DNS resolution outside the intended path, potentially exposing hostnames to the ISP or local network ^[3]. These are exceptions, not the intended operation, but they matter for adversaries capable of large-scale observation.

3. What your ISP actually sees today — facts about observable signals

When you run Tor Browser, your ISP can reliably see connections to Tor network relays — IPs and timing — but not the resolved domain names for the sites you visit in normal operation. DNS-over-HTTPS/TLS on the client would normally hide DNS from an ISP, but Tor’s model makes that unnecessary for browser-initiated web lookups because resolution is done by the exit node. However, if a user performs DNS outside Tor (for example, using other applications not proxied into Tor or through a misconfigured system resolver), the ISP can see those queries. Community testing and documentation affirm that properly routed Tor Browser traffic does not leak the ISP’s DNS server address in DNS-leak tests ^{[5] [6]}.

4. Threat models: when DNS exposure matters and who benefits

Different adversaries gain different leverage. A local ISP-level observer cannot see exit-node DNS unless the client leaks DNS locally or uses an insecure path, so for many threat models the ISP is not the primary deanonymizer ^[1]. Nation-state actors, large public resolvers, or operators of exit nodes can observe exit DNS and, combined with traffic-correlation or fingerprinting attacks, can improve deanonymization chances ^[2]. Researchers emphasize that adversaries already monitoring large internet fractions gain little extra by exploiting DNS patterns, but targeted attacks combining exit DNS observation and traffic analysis pose elevated risk to users of high-threat profiles ^[2].

5. Practical takeaways: configuration, mitigations, and what to watch for

Use the official Tor Browser and avoid routing application traffic outside Tor; the browser’s built-in routing prevents local DNS leaks in standard configurations. Watch Tor Project advisories and GitLab issue reports for DNS-resolution vulnerabilities and patches; historical issues show that vulnerabilities can temporarily alter the privacy guarantees and require updates ^[3]. For maximal assurance in hostile environments, combine good operational hygiene (keep Tor Browser updated, avoid non-Tor apps accessing the network), monitor for disclosed exit-node behavior studies, and be aware that exit-node and third-party resolver observation remain the primary external caveats to DNS privacy when using Tor ^{[6] [7]}.