--- title: "mix-dns reference & security" description: "Configure the DNS resolver used by mix-dns, and what the resolver sees through the IPR exit." schemaType: "TechArticle" section: "Developers" lastUpdated: "2026-06-09" --- import { Callout } from 'nextra/components' # Reference & security ## Configuration The DNS resolver is configured at tunnel setup, not per-call. Pass the resolver in `setupMixTunnel`: ```ts await setupMixTunnel({ // Set the resolver explicitly. Defaults are 8.8.8.8:53 primary and // 1.1.1.1:53 fallback. Both fields take a `host:port` socket address; // fallbackDns is used if the primary fails to respond. primaryDns: '8.8.8.8:53', fallbackDns: '1.1.1.1:53', }); ``` The full options surface is documented under [`SetupMixTunnelOpts`](/developers/mix-tunnel/api/interfaces/SetupMixTunnelOpts). ## Security model `mix-dns` follows the shared [mixnet exit security model](/developers/concepts/exit-security). The transport-specific exposure: at the IPR exit the query leaves as a plain UDP DNS request to the resolver, so the resolver sees the queried hostname and the IPR's IP, never yours. There is no TLS to terminate; the query and response are plaintext on the IPR-to-resolver leg. At the resolver the query is plaintext UDP. The resolver can read the hostname you are looking up, while the mixnet keeps it from learning who you are. Choosing `8.8.8.8` vs `1.1.1.1` only changes which third party sees the queries; both see them coming from the IPR. To remove the resolver from your trust set, pick one you already trust, or layer DNS-over-HTTPS via `mixFetch` to a DoH endpoint instead of `mixDNS`.