Show HN: Running the second public ODoH relay
29 points
by rdme
1 hour ago
| 3 comments
| numa.rs
| HN
Every privacy-focused DNS service requires an account: NextDNS, Cloudflare for Families, Apple's iCloud Private Relay (paid, iOS-only). The protocol that doesn’t require one - ODoH - had basically one well-known public relay operator (Frank Denis on Fastly Compute, default in dnscrypt-proxy). I built a second one and the client to talk to it.
cedws
35 minutes ago
[-]
What’s the selling point of ODoH given the low uptake of ECH which means the name of the server you’re talking to is given away anyway?
reply
fc417fc802
33 minutes ago
[-]
I'd think that if you've got several leaks then patching one up is still forward progress even if it doesn't deliver a full fix immediately.
reply
rdme
27 minutes ago
[-]
They solve different things. ODoH hides your question, not who you're talking to.
reply
fc417fc802
9 minutes ago
[-]
Sure ODoH hides your query but you then turn around and leak the question you just asked as part of the TLS handshake.
reply
gigatexal
15 minutes ago
[-]
What would it take to get truly anonymous dns? I guess it’s not really possible no?
reply
fc417fc802
11 minutes ago
[-]
Why not? Cloudflare makes 1.1.1.1 available over tor although the latency is through the roof and you still need to consider the possibility of fingerprinting the client network stack.
reply
rdme
1 hour ago
[-]
The relay is a systemd unit on a VPS, Caddy for TLS, SSRF-hardened (regex-strict hostnames, no IP literals). eTLD+1 same-operator check rejects relay+target run by the same org by default. HPKE is odoh-rs from Cloudflare

``` cargo install numa

# set mode = "odoh" in numa.toml ```

Repo: https://github.com/razvandimescu/numa

reply