Does Tor Browser send DNS queries over the Tor network or to my ISP?

Executive summary — clear bottom line in two short sentences. Tor Browser sends DNS names inside the encrypted Tor circuit to the chosen exit relay; the exit relay performs DNS resolution and the ISP does not directly receive DNS queries from the client. This means DNS lookups travel over Tor to exit nodes by default, but exit nodes and their chosen resolvers can see or influence the resolved names, which creates a separate risk vector ^{[1] [2] [3]}.

1. How Tor actually handles DNS: the exit node resolves your names, not your ISP. Tor’s design forwards hostnames (not IP-resolved packets) across the encrypted circuit and issues a RELAY_BEGIN to the exit, which then performs the DNS resolution and opens the connection on your behalf. This core behavior has been documented since early Tor documentation and community answers and is reiterated in analyses dated as far back as 2013 ^{[1] [2]}. The client does not emit UDP DNS packets to the local network by default, so your ISP normally does not see DNS lookups generated by Tor Browser itself. Recent community and Tor Project discussions confirm this model and note that resolved IPs and domain names are observable at the exit point ^{[1] [4]}.

2. Why exit nodes are the weak link: they see the domain and choose resolvers. Because the exit relay performs resolution, the exit node operator — and any resolver the exit node uses — can observe the domain name being resolved ^{[5] [2]}. Community bug reports and forum posts highlight cases where exit nodes or their configured resolvers used third‑party services like Cloudflare, producing visible indicators on DNS test pages and sometimes misleading users about who resolved the name ^[6]. That behavior means anonymity is preserved from your ISP but not necessarily from the exit relay or its upstream DNS provider, so the protection scope is limited to network-level eavesdropping before the exit.

3. Changes, mitigations, and configuration nuance: Tor Browser updates matter. Tor Browser has evolved; some older behavior and misconfigurations led to observable interactions with third‑party DoH endpoints at the exit, and developers have addressed several of these issues in later Tor Browser releases (reports cite fixes around versions 13.0.12 and 13.0.14) ^[6]. Users cannot directly force which resolver an exit node uses, and using local DNS-over-HTTPS or other custom resolvers on top of Tor can introduce fingerprinting or leak risks; Tor guidance and community warnings emphasize avoiding external DNS services on the client when using Tor ^{[7] [6]}.

4. Threat model: what your ISP sees, what exit nodes see, and what remains secret. Under normal Tor operation, your ISP sees only encrypted Tor traffic to your guard node and cannot observe destination hostnames or DNS queries, because the client does not emit DNS queries to the ISP ^{[1] [3]}. The exit node, however, sees the final destination (domain and resolved IP) when it performs resolution and opens outbound connections. Hidden services bypass public DNS entirely and use Tor’s rendezvous system, which is separate from exit‑based resolution ^[2]. Understanding this distinction clarifies protections and exposures for different use cases.

5. Practical guidance and open questions for users who care about DNS privacy. Relying on Tor Browser as configured protects against ISP DNS observation but does not hide domains from exit relays or their resolvers; users needing end‑to‑end confidentiality should use HTTPS, onion services, or application‑level encryption in addition to Tor ^{[2] [7]}. Community threads and bug reports recommend keeping Tor Browser up to date to pick up DNS‑related fixes, avoiding client‑side DNS overrides that can cause leaks, and recognizing that choosing Tor does not equate to choosing a specific public DNS operator — exit nodes determine downstream resolvers ^{[6] [8] [7]}.