logoalt Hacker News

Show HN: Running the second public ODoH relay

37 pointsby rdmetoday at 10:44 AM15 commentsview on HN

Every privacy-focused DNS service requires an account: NextDNS, Cloudflare for Families, Apple's iCloud Private Relay (paid, iOS-only). The protocol that doesn’t require one - ODoH - had basically one well-known public relay operator (Frank Denis on Fastly Compute, default in dnscrypt-proxy). I built a second one and the client to talk to it.

Comments

cedwstoday at 11:35 AM

What’s the selling point of ODoH given the low uptake of ECH which means the name of the server you’re talking to is given away anyway?

show 4 replies
gigatexaltoday at 11:56 AM

What would it take to get truly anonymous dns? I guess it’s not really possible no?

show 2 replies
plexescortoday at 12:22 PM

[flagged]

petcattoday at 12:09 PM

[dead]

rdmetoday at 10:50 AM

The relay is a systemd unit on a VPS, Caddy for TLS, SSRF-hardened (regex-strict hostnames, no IP literals). eTLD+1 same-operator check rejects relay+target run by the same org by default. HPKE is odoh-rs from Cloudflare

``` cargo install numa

# set mode = "odoh" in numa.toml ```

Repo: https://github.com/razvandimescu/numa