diff --git a/other/bootstrap_daemon/docker/tox-bootstrapd.sha256 b/other/bootstrap_daemon/docker/tox-bootstrapd.sha256
index e1c6b342..396bc2c2 100644
--- a/other/bootstrap_daemon/docker/tox-bootstrapd.sha256
+++ b/other/bootstrap_daemon/docker/tox-bootstrapd.sha256
@@ -1 +1 @@
-a12aa241a079e5f014a6689e48905a5a32c2fd455676cad431773908bda9245c  /usr/local/bin/tox-bootstrapd
+f20ba5a6917e5faee9a2a6439b448d3ced7cd177ba666ff1804882f494ea7b90  /usr/local/bin/tox-bootstrapd
diff --git a/toxcore/DHT.c b/toxcore/DHT.c
index 60d0a695..8aa16110 100644
--- a/toxcore/DHT.c
+++ b/toxcore/DHT.c
@@ -2589,6 +2589,9 @@ static uint16_t list_nodes(const Random *rng, const Client_data *list, size_t le
 }
 
 /** @brief Put up to max_num nodes in nodes from the random friends.
+ *
+ * Important: this function relies on the first two DHT friends *not* being real
+ * friends to avoid leaking information about real friends into the onion paths.
  *
  * @return the number of nodes.
  */
@@ -2598,12 +2601,14 @@ uint16_t randfriends_nodes(const DHT *dht, Node_format *nodes, uint16_t max_num)
         return 0;
     }
 
-    assert(dht->num_friends >= DHT_FAKE_FRIEND_NUMBER);
-    const uint32_t r = random_range_u32(dht->rng, dht->num_friends - DHT_FAKE_FRIEND_NUMBER);
     uint16_t count = 0;
+    const uint32_t r = random_u32(dht->rng);
 
-    for (uint32_t i = 0; i < DHT_FAKE_FRIEND_NUMBER && i < dht->num_friends; ++i) {
-        count += list_nodes(dht->rng, dht->friends_list[r + i].client_list,
+    assert(DHT_FAKE_FRIEND_NUMBER <= dht->num_friends);
+
+    // Only gather nodes from the initial 2 fake friends.
+    for (uint32_t i = 0; i < DHT_FAKE_FRIEND_NUMBER; ++i) {
+        count += list_nodes(dht->rng, dht->friends_list[(i + r) % DHT_FAKE_FRIEND_NUMBER].client_list,
                             MAX_FRIEND_CLIENTS, dht->cur_time,
                             nodes + count, max_num - count);
 
diff --git a/toxcore/DHT.h b/toxcore/DHT.h
index 0109ed1b..34ecf9dd 100644
--- a/toxcore/DHT.h
+++ b/toxcore/DHT.h
@@ -410,6 +410,9 @@ int get_close_nodes(const DHT *dht, const uint8_t *public_key, Node_format *node
 
 
 /** @brief Put up to max_num nodes in nodes from the random friends.
+ *
+ * Important: this function relies on the first two DHT friends *not* being real
+ * friends to avoid leaking information about real friends into the onion paths.
  *
  * @return the number of nodes.
  */