diff --git a/wgengine/netlog/logger.go b/wgengine/netlog/logger.go
index 94f321f97..4233125a9 100644
--- a/wgengine/netlog/logger.go
+++ b/wgengine/netlog/logger.go
@@ -178,8 +178,8 @@ func recordStatistics(logger *logtail.Logger, nodeID tailcfg.StableNodeID, start
 		case srcWithinSubnet || dstWithinSubnet:
 			m.SubnetTraffic = append(m.SubnetTraffic, netlogtype.ConnectionCounts{Connection: conn, Counts: cnts})
 		default:
-			const anonymize = false
-			if anonymize {
+			const anonymize = true
+			if anonymize && !enableExitDstFlowLogs {
 				// Only preserve the address if it is a Tailscale IP address.
 				srcOrig, dstOrig := conn.Src, conn.Dst
 				conn = netlogtype.Connection{} // scrub everything by default