Show HN: Running the second public ODoH relay

Numa has deployed the second publicly accessible ODoH relay, marking a significant step in expanding privacy-preserving DNS infrastructure. This relay operates independently, using cryptographic protocols to anonymize DNS queries, and is now available for public use. The development matters because it increases options for users seeking to prevent query correlation and improve DNS privacy.

The relay, named odoh-relay.numa.rs, runs in a Docker environment on a Hetzner VPS with Caddy handling TLS termination. It is configured to operate with an independent operator setup, paired with the well-known relay odoh.cloudflare-dns.com, ensuring no shared eTLD+1 between the relays, which is critical for maintaining the privacy guarantees of ODoH (Oblivious DNS over HTTPS).

The relay encrypts DNS queries using HPKE (RFC 9180), a cryptographic primitive similar to TLS Encrypted ClientHello, ensuring that the relay only sees ciphertext and not the query content or the client’s IP address. The target DNS resolver, such as Cloudflare, decrypts the question but only sees the ciphertext, with no knowledge of the client’s IP.

Building the relay involved developing a Rust binary that includes an ODoH client, relay, and deployment configuration. Specific challenges included implementing SSRF-hardened hostname validation and enforcing operator separation via eTLD+1 checks to prevent malicious collusion. The relay is accessible via POST /relay and health checks via GET /health, with default configuration pairing it with Cloudflare’s DNS resolver.

Why It Matters

This development enhances privacy options for users who self-host DNS or rely on privacy-focused relays. By deploying a second independent relay, Numa demonstrates the feasibility of decentralized, cryptographically protected DNS queries, reducing the risk of query correlation and traffic analysis. However, it does not eliminate trust in the target resolver, which can still log queries, highlighting that ODoH primarily shifts trust rather than abolishes it.

The expansion of public relays contributes to a broader ecosystem where users can choose multiple independent relays, increasing the overall resilience and privacy of DNS queries. It also underscores ongoing efforts to improve DNS privacy without requiring accounts, telemetry, or platform lock-in, contrasting with other privacy tools like Apple’s iCloud Private Relay.

Background

Prior to this deployment, the most prominent public ODoH relay was operated by Frank Denis at odoh-relay.edgecompute.app. Numa’s previous efforts included a client and relay in a single binary, with the first public relay at odoh.cloudflare-dns.com. The ecosystem has been gradually evolving, with increased focus on cryptographic protections and operational security.

Ongoing developments in DNS privacy emphasize cryptographic protocols like HPKE and the importance of operator separation to prevent collusion. The deployment of multiple public relays aims to strengthen privacy guarantees by diversifying operator control and reducing the potential for traffic analysis.

“Deploying this second public relay demonstrates that independent, cryptographically protected DNS privacy infrastructure is feasible and scalable.”

— Numa project maintainer

“Implementing robust hostname validation and operator separation was essential to prevent SSRF attacks and collusion, ensuring the relay’s privacy guarantees hold.”

— Security engineer involved in relay development

What Remains Unclear

It remains unclear how widely adopted the new relay will become or how it will perform under high query volumes. The overall security depends on the trustworthiness of the target resolver and the cryptographic primitives used. The potential for traffic analysis at small relays persists, especially if user volume remains low. Additionally, the distribution of target keys via WebPKI is still a work in progress, which could impact trust assumptions.

Self-Hosting Handbook: Deploy your own web applications and services on a VPS or home server – an intro for indie developers

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

What’s Next

Next steps include monitoring the relay’s operational stability and adoption rates. Developers plan to enhance key distribution mechanisms and possibly introduce more relays operated by diverse organizations to strengthen the ecosystem’s resilience. Further research into traffic analysis mitigation and integration with DNSSEC are also anticipated.

Key Questions

What is an ODoH relay, and why is it important?

An ODoH relay encrypts DNS queries cryptographically, preventing the relay and target from knowing both your IP and query content, thereby enhancing privacy. It is important because it reduces the risk of query correlation and traffic analysis.

How does the new relay differ from existing ones?

The new relay is operated independently, with a focus on operator separation and cryptographic protections. It is the second public relay in the ecosystem, expanding options for users seeking privacy.

Does ODoH eliminate all DNS privacy risks?

No. While it encrypts queries between client and target, the target can still log queries, and traffic analysis remains possible at relays with low volume. It shifts trust but does not eliminate all risks.

Can I start using the new relay now?

Yes, the relay is publicly accessible and can be configured in DNS clients that support ODoH. Users should verify compatibility and follow deployment instructions.