A look at the traffic originating from my Tor Exit relays
Have you ever wondered which clearnet web domains (as in not onions) are the most popular among users of The Onion Router project (Tor)? Is there any evidence to support the popular mainstream opinion that Tor is predominantly used by people with malicious and criminal intent? To add some spice to this question in 2026, I’ve aggregated non-identifiable data based on DNS queries made by my five Tor exit relays.
Disclaimer
This article does not pretend to be based on any scientific research, and the sample data is too small to provide any real value. I am also guilty of overstating the value of DNS logs when it comes to understanding traffic from Tor users. Only non-identifiable data has been used, and there are no attempts to perform any correlation with specific users or exit nodes.
Available data
- Exit relays: 5
- Log period: 1 week
- Aggregated log files: 5
- Total lines parsed: 60159688
An Unbound DNS server showing DNS queries from a Tor Exit Relay.
Classifying, extracting, and accumulating
All my Tor Exit relays use the Unbound DNS server. I have a mix of FreeBSD and Linux-based relays. I’ve made a Python script to parse the aggregated Ubound logs to identify and classify the data down to registrable domains and suffixes in a few steps.
Here is the gist of it.
Step one: Classify
- WEB: Normal lookups
- RDNS/PTR: Reverse DNS / PTR
- IP-ISH: forward lookups where the hostname encodes an IP address
Step two: Normalize, extract, and discard
Extracting the registrable domains (eTLD+1) sounded like an easy task, but later, I realized that my increasingly growing list of regular expressions was not up to the task. My thanks to John Kurkowski for providing tldextract: A Python library to parse URLs.
The result
After discarding enumerated queries and malformed/unwanted patterns from the logs, we’re left with the following:
| Class | Count | Share |
|---|---|---|
| WEB | 22192644 | 98.818% |
| IP-ISH | 249316 | 1.110% |
| RDNS/PTR | 16224 | 0.072% |
| Total | 22458184 | 100.000% |
The top lists.
Finally, it’s time to break it all down. Let’s find out what the majority of Tor users are doing on the Internet.
Hackers (1995). Just because this article needed a cool image :)
Top 25 - Most popular domains
The moment of truth, unfiltered.
| # | Registrable domain | Count | Category |
|---|---|---|---|
| 1 | digitaloceanspaces.com | 881207 | Cloud storage / object storage |
| 2 | amazonaws.com | 568758 | Cloud infrastructure |
| 3 | googlevideo.com | 467369 | Video CDN / streaming |
| 4 | fbcdn.net | 271484 | CDN / static content |
| 5 | google.com | 130091 | Search / web services |
| 6 | googleapis.com | 103697 | API platform |
| 7 | adsco.re | 95874 | Advertising / redirects |
| 8 | REDACTED | 91342 | Adult content / video CDN |
| 9 | blogspot.com | 90937 | Blogging / publishing |
| 10 | REDACTED | 84911 | Adult content / video CDN |
| 11 | REDACTED | 82825 | Adult content / media sharing |
| 12 | cloudfront.net | 82121 | CDN |
| 13 | tiktokcdn.com | 60569 | CDN / media delivery |
| 14 | googlesyndication.com | 57701 | Advertising / ad-serving |
| 15 | tiktokv.com | 55131 | Video delivery / backend |
| 16 | apple.com | 51101 | Technology / official site |
| 17 | REDACTED | 49051 | Adult content / video CDN |
| 18 | gvt1.com | 48721 | CDN / cache / updates |
| 19 | REDACTED | 42730 | Adult content / video CDN |
| 20 | amazon-adsystem.com | 41343 | Advertising / tracking |
| 21 | doubleclick.net | 39803 | Advertising / tracking |
| 22 | REDACTED | 39792 | Adult content / video CDN |
| 23 | cdninstagram.com | 38169 | CDN / media delivery |
| 24 | outlook.com | 36901 | Email / webmail |
| 25 | microsoft.com | 36735 | Technology / official site |
To the surprise of no one, the Internet is currently being overrun by big tech and the advertising industry. The most surprising result in this list, as far as I’m concerned, is that Blogspot is still alive. And DigitalOcean is (apparently) a big player in the realm of object storage.
If we just focus on regular domains that users visit directly, we get a slightly different list.
Top 25 - Most popular regular domains
| # | Registrable domain | Count | Category |
|---|---|---|---|
| 1 | google.com | 130091 | Search / web services |
| 2 | blogspot.com | 90937 | Blogging / publishing |
| 3 | apple.com | 51101 | Technology / official site |
| 4 | outlook.com | 36901 | Email / webmail |
| 5 | microsoft.com | 36735 | Technology / official site |
| 6 | amazon.com | 36169 | E-commerce |
| 7 | facebook.com | 31662 | Social media |
| 8 | ipleak.net | 31348 | Security / testing |
| 9 | sblo.jp | 31324 | Blogging / publishing |
| 10 | reddit.com | 26889 | Forum / social news |
| 11 | naver.com | 26299 | Portal / search |
| 12 | trezor.io | 25623 | Crypto hardware wallet |
| 13 | ask.com | 21820 | Search / web portal |
| 14 | mozilla.net | 21782 | Software / services |
| 15 | squarespace.com | 20862 | Website builder |
| 16 | yahoo.com | 19915 | Portal / email / news |
| 17 | torproject.org | 19785 | Privacy / nonprofit |
| 18 | tumblr.com | 18621 | Blogging / social |
| 19 | wordpress.com | 18515 | Blogging / publishing |
| 20 | yandex.ru | 17417 | Portal / search |
| 21 | roblox.com | 17006 | Gaming |
| 22 | instagram.com | 16659 | Social media |
| 23 | twitter.com | 16408 | Social media |
| 24 | youtube.com | 15513 | Video / streaming |
| 25 | live.com | 15161 | Email / web portal |
Speaking of Blogspot, I’ve looked at the list of subdomains, and as far as I can see, it’s all just regular blogs by everyday people. The most popular one belongs to a techno artist promoting his music.
Other interesting findings
DNS queries seem like a more reliable indication of the popularity of your favorite Linux distro than Distrowatch’s infamous ranking.
Top 10 - Most popular GNU/Linux distributions
| # | Distro | Registrable domain | DNS rank |
|---|---|---|---|
| 1 | Ubuntu | ubuntu.com | 349 |
| 2 | Debian | debian.org | 606 |
| 3 | Tails | tails.net | 1104 |
| 4 | Qubes OS | qubes-os.org | 1680 |
| 5 | Arch Linux | archlinux.org | 3032 |
| 6 | Fedora | fedoraproject.org | 3239 |
| 7 | Oracle Linux | oracle.com | 5859 |
| 8 | Gentoo | gentoo.org | 7445 |
| 9 | Manjaro | manjaro.org | 7599 |
| 10 | Red Hat (RHEL) | redhat.com | 8176 |
Quite the difference from Distrowatch’s top 10. In fact, a few of the top 10 distributions from Distrowatch’s list had zero DNS requests.
FQDN / subdomains
I won’t be publishing this information in detail, as some companies seem to believe that DNS zone files are hidden or somehow secret information. Alas, there is no need to guard the server on the other end of the pointer. Deploy and forget, I guess, the benefits of automation.
However, I’ll make one exception to this rule. Apple has a few peculiar ones, including pancake.apple[.]com and swallow.apple[.]com.
Additionally, the poor and starving children forced to assemble your next iPhone in a faraway country are sending Morse signals from captive.apple[.]com. Mean-spirited geo-political jokes aside, this record was probably coming from Tim Cook himself, being held captive and forced to watch the Melanie premiere from inside the White House.
Logs on Tor Exit relays?
You should always have a “no logging” policy on Tor relays!
This seems entirely reasonable if you’ve never hosted servers. Tor relays (like anything else available on the Internet) are constantly under attack, and without any logs, you’re just fumbling through the dark.
