Show HN: Running the second public ODoH relay
4 hours ago
- #DNS Privacy
- #ODoH Protocol
- #Self-Hosted Infrastructure
- Anonymous DNS via ODoH splits the path so that the ingress proxy sees your IP but not the request, and the egress proxy sees the request but not your IP, enhancing privacy.
- ODoH is implemented in Numa v0.14 with a client, relay, and public deployment in one Rust binary, using HPKE for encryption and not requiring accounts or telemetry.
- The relay includes protections like an SSRF-hardened hostname validator and an eTLD+1 same-operator check to prevent IP and question correlation by a single operator.
- Limitations include the target seeing queries, potential leaks in recursive mode, traffic analysis risks with small relays, centralized pubkey distribution, and DNSSEC being separate.
- The public ODoH ecosystem is expanded with Numa's relay at odoh-relay.numa.rs, joining existing relays, and encouraging more operators to improve anonymity through diversity.