Looking at this from an information exposure viewpoint, TOR is actually the only type of technology that I think can provide actual anonymity (by making it computationally expensive to track an end user with diligent opsec; which is actually an extremely high bar).
If one node is speaking to another node (packets are routed) then it is known that the user may be speaking to any publicly listed, previously expected to exist there (pub/priv), or plausibly secret services at that location.
If the attacker is able to impersonate the identity (crypto) of the target node or otherwise transparently observe the node's contents then the same can also be said for any data routed through the node.
Given the above I do not see a compelling reason to reserve information about a desired target of contact from that node.
Thus it seems logical to have any name resolution / identity certification system allow delegates for 'middle men' (other crypto IDs) that are authorized to provide termination routing.
With that included in the name resolution / certificate, connecting to a specified node and then asking for the 'named service' over that secured connection should not expose any information that could not already be observed via other systemic weaknesses. If desirable a tunneled session to the end service seems the most likely to be secure, but some method of switching to a still encrypted direct channel to that other service (without any further encryption between the source and middle node) might be useful in the case of load balancing systems.
