@df
[For background, see here]
Can you alter the DeepDNS policies on the exit nodes such that if you query a darknet FQDN from an out-of-tunnel address (including other exits), the result is NXDOMAIN? In other words, if I'm connected to the German node and my query for an Onion address is sent to the Netherlands DeepDNS instance, the result is NXDOMAIN rather than 10.x.x.x.
This would enable us pfSense users to spin up multiple clients and not only load balance between them, but also specify the DeepDNS servers for those exit nodes in System->General Setup->DNS Server Settings. With this in place, queries for darknet TLDs will result in NXDOMAIN until the query hits the right server.