Recent updates to Tor's DNS handling features

1. How Tor currently routes DNS: exit relays resolve names, not your ISP

Tor transports the hostname inside the Tor protocol to an exit relay; the exit node performs the DNS lookup and opens the TCP connection to the target, meaning your local DNS resolver or ISP typically does not see the hostname when you use Tor ^[1]. Security Stack Exchange answers and Tor technical Q&A describe this mechanism as the normal behavior: the client sends a RELAY_BEGIN with hostname and port to the exit, which then resolves the name ^[1].

2. Practical tradeoffs: anonymity vs. control over resolver choice

Because resolution happens at the exit relay, you gain privacy from local DNS observers but lose direct control over which recursive resolver is used; an exit relay will use whatever DNS it’s configured to use, which could vary or be subject to legal orders ^[1]. Community discussions about alternatives — DoH, ECH, DNSCrypt, or routing DNS through Tor — emphasize these tradeoffs: if you route all traffic through Tor (e.g., using the local SOCKS5 proxy) DNS resolution is done by the exit and local DNS tools aren’t needed, but this still leaves traffic-analysis risks inherent to low-latency anonymity networks ^[6].

3. Tor Project services that use DNS: exit lists and public DNSEL history

Tor has provided DNS-based exit-list services (DNSEL) to help sites check whether an incoming IP is a Tor exit for a given port; historically this was experimental and sometimes error-prone ^[8]. The Tor Project’s blog says the DNS-based exit-list system was replaced with a new simplified service that behaves more like a typical DNS list and returns a canonical A record (127.0.0.2) if an IP is a Tor exit for the queried port, making integration easier for operators ^[2].

4. Recent operational notes and outages in Tor’s DNS infrastructure

The Tor Project’s status pages and issue history document DNS infrastructure incidents and monitoring: a noted disruption in December 2022 prompted mitigations and restoration ^[5], and the status dashboard lists DNS as an infrastructure component being monitored for availability with recorded downtime metrics and recent resolved incidents ^{[3] [4]}. These operational posts show the project treats DNS-related services as first-class parts of their infrastructure to keep network tooling and exit services reliable ^{[3] [4] [5]}.

5. Community tools and third-party apps mixing Tor and encrypted DNS

Third‑party apps and guides sometimes bundle Tor with DNSCrypt or other resolvers; for example a play‑store app changelog lists updates to DNSCrypt alongside a Tor binary update ^[9]. Security Q&A threads debate whether anonymized DNSCrypt over Tor is preferable to DoH+ECH setups; contributors note that if you route all traffic through Tor, you don’t need DNSCrypt since the exit resolves names — but they also warn about client-side vs. exit-side threat models and remaining traffic-analysis risks ^[6].

6. What reporting does not cover / open questions

Available sources do not mention whether Tor’s core client code has implemented any recent changes to perform DNS resolution locally or to support DoH/ECH over circuits by default — Tor’s standard model remains exit-side resolution per the documentation and Q&A ^[1]. Also, while the exit-list DNS service change is described, the status pages and blog posts do not provide detailed technical specs, deployment timeline, or performance data beyond the assertion that the new service “behaves closer to a typical DNS-based list” and returns 127.0.0.2 for positive checks ^{[2] [3]}.

7. How to interpret competing perspectives and next steps for readers

Operational posts (status pages and incident reports) focus on availability and mitigation ^{[3] [4] [5]}, while technical Q&A highlights privacy mechanics and threat models ^{[1] [6]}. If you need control over which resolver is used, the current Tor model forces a tradeoff: route resolution through Tor exits (privacy from local observers but exit-dependent resolvers) or perform encrypted DNS locally (DoH/DNSCrypt) and accept that the local resolver sees queries — community debate in Q&A threads explores both positions without a single consensus ^{[6] [7]}. For operators checking for Tor exits, use the Tor Project’s updated DNS exit-list service as documented on the project blog ^[2].