[tgragnato]

XMPP is not e2ee, the second server gets your JID (but not your IP, supposing your client doesn't leak it): you need to trust the servers (1, 2 and the resolver).

Also; you don't get virtual circuits, but the performance should be superior. Tor only supports A, AAAA and PTR; DoX supports every record type.

[moparisthebest]

You can connect to XMPP servers over tor, even host them on .onion addresses.

Also, XMPP has e2e extensions, at least one of which supports encrypting/verifying arbitrary XML[1], so if the resolver supported it, you could only trust the resolver. (also don't forget about DNSSEC which can be used to verify DNS responses too)

[1]: https://xmpp.org/extensions/xep-0373.html

[tgragnato]

Agreed, the best case is when you have e2ee (which unfortunately is not in core) and DNSSEC.

I must admit to being biased against using DNSSEC alone because a malicious XMPP server can still inspect and/or modify queries and responses. By self-hosting you mitigate, but without e2ee the server is still trusted (in the threat-model).