Show HN: Running the second public ODoH relay

Numa has launched the second public Obvious DNS over HTTPS (ODoH) relay, marking a significant step toward decentralized, anonymous DNS querying. The relay operates as part of an effort to improve user privacy by preventing operators from seeing both the query and the client IP address simultaneously, a problem with traditional DNS and DNS-over-HTTPS services.

The new relay, hosted at odoh-relay.numa.rs, is now publicly accessible and runs in a Docker environment on a Hetzner VPS, with Caddy handling TLS. It is compatible with the Numa ODoH client, which integrates into existing DNS forwarding pipelines. The relay enforces strict hostname validation to prevent SSRF attacks and ensures that the relay and target are operated by different organizations, adhering to ODoH specifications. This setup allows clients to encrypt DNS queries using HPKE, with the relay only seeing ciphertext and the target decrypting the question without knowledge of the client’s IP address.

Developed using the odoh-rs library for cryptographic operations, the relay is designed to operate without requiring user accounts or telemetry, emphasizing privacy and decentralization. The deployment follows the same binary structure as the client, simplifying maintenance and deployment. The relay is configured to pair with well-known operators, such as Cloudflare, and is tested through a dedicated probe script that assesses the ecosystem’s health.

Why It Matters

The deployment of a second public ODoH relay enhances the resilience and privacy of DNS queries, reducing reliance on single operators and increasing options for users seeking anonymous DNS resolution. It demonstrates progress toward decentralized, cryptographically protected DNS infrastructure, which could mitigate surveillance and traffic analysis risks associated with traditional DNS and DNS-over-HTTPS services.

However, the system does not eliminate trust in the target operators, as they still see the questions in plaintext. Traffic analysis remains a potential risk, especially for small relays with low query volume, emphasizing the importance of larger, busier relays for better privacy. The centralized distribution of public keys and reliance on WebPKI for key delivery also introduce some trust assumptions that are yet to be fully addressed.

Background

ODoH (RFC 9230) is an IETF protocol designed to enhance DNS privacy by encrypting queries between clients and relays, with the relays only able to see ciphertext. Prior to this, the ecosystem had only one well-known public relay operated by Frank Denis at odoh-relay.edgecompute.app. Numa’s deployment introduces a second relay, aiming to diversify infrastructure and improve privacy options for users and self-hosters. The project builds on recent developments in cryptography, specifically HPKE (RFC 9180), and leverages open-source tools like odoh-rs for cryptographic operations.

Previous efforts in DNS privacy include DNSCrypt and DNS-over-HTTPS, but these often require accounts or reveal the client IP to the resolver or authoritative servers. Apple’s iCloud Private Relay offers a different approach but is limited to Apple users and specific platforms. Numa’s initiative is part of a broader movement toward decentralized, cryptographically secured DNS queries, addressing gaps in self-hosted and privacy-focused DNS solutions.

“The second public ODoH relay significantly increases the availability of anonymous DNS queries, providing more options for privacy-conscious users.”

— Numa developer

“Using HPKE for encryption in ODoH ensures strong cryptographic guarantees, but operational trust still depends on the target operators not logging queries.”

— Cryptography expert

What Remains Unclear

It remains unclear how widely the new relay will be adopted and whether traffic volume will be sufficient to mitigate timing and correlation attacks. The centralization of key distribution via WebPKI also poses ongoing trust considerations. Additionally, the overall ecosystem’s resilience against traffic analysis and targeted attacks is still being evaluated.

What’s Next

Next steps include increasing the number of relays to improve anonymity sets, developing decentralized key distribution methods, and monitoring real-world usage patterns. Further cryptographic enhancements and community engagement will be essential to strengthen the ecosystem. Numa plans to continue testing, gather user feedback, and potentially add support for additional operators and configurations.

Key Questions

What is ODoH and how does it improve DNS privacy?

ODoH (Oblivious DNS over HTTPS) encrypts DNS queries between clients and relays, ensuring that relays only see ciphertext. This prevents relays from knowing both the client IP and the query, enhancing privacy.

Who operates the new relay and how is it secured?

The relay is operated by Numa, hosted on a Hetzner VPS with TLS managed by Caddy. It enforces strict hostname validation and operates independently from other relays to prevent collusion.

Can this relay be used by anyone?

Yes, the relay is publicly accessible and can be used by any client configured to speak ODoH, including Numa’s client and compatible implementations.

What are the limitations of ODoH currently?

ODoH does not eliminate trust in the target operator, and traffic analysis remains a risk, especially for low-volume relays. Key distribution relies on centralized WebPKI, and cryptographic protections do not prevent the target from logging queries.