My suggestion: If DNS is being blocked from a Tor exit the site itself that is being resolved is also likely to be blocked, so it should be a rarer case than you'd otherwise expect. So just run a local recursive resolver ON the exit node, but with a small patch so if the recursive resolver fails to resolve a name you have a fallback to a separate recursive resolver, the one that is run by the ISP where you are running your Tor node, so it will still resolve if the site only blocks DNS but not the final connections. And the privacy implication is very low: after all, the ISP can see the final traffic anyway and DNS doesn't exist in a vacuum but is used to contact sites.
On Oct 24, 2025, at 6:35 AM, Ralph Seichter via tor-relays <tor-relays@lists.torproject.org> wrote:
* foreststack@dmc.chat via tor-relays:
This would only work if all nameservers support IPv6, no? I would still need to use IPv4 for the nameservers that don't, which means continuing to pay for the extra IPv4.
Have you considered using dnscrypt-proxy [1] with a couple of their IPv6-capable servers configured as forwarders? No need for your own server to have an Internet-routable IPv4 address in that scenario.
[1] https://github.com/DNSCrypt/dnscrypt-proxy
-Ralph _______________________________________________ tor-relays mailing list -- tor-relays@lists.torproject.org To unsubscribe send an email to tor-relays-leave@lists.torproject.org