Show HN: Running the second public ODoH relay

rrdme about 3 hours ago 17 commentsRead Article on numa.rs

DE version is available. Content is displayed in original English for accuracy.

Every privacy-focused DNS service requires an account: NextDNS, Cloudflare for Families, Apple's iCloud Private Relay (paid, iOS-only). The protocol that doesn’t require one - ODoH - had basically one well-known public relay operator (Frank Denis on Fastly Compute, default in dnscrypt-proxy). I built a second one and the client to talk to it.

⚡ Community Insights

Discussion Sentiment

67% Positive

Analyzed from 580 words in the discussion.

Discussion (17 Comments)Read Original on HackerNews

cedws•about 2 hours ago

What’s the selling point of ODoH given the low uptake of ECH which means the name of the server you’re talking to is given away anyway?

jeroenhd•about 1 hour ago

It means you can use a decently fast DNS server like Cloudflare without the major privacy problems of using Cloudflare. Or DNS4EU, or any non-ISP DNS server really.

Your ISP snooping on you with SNI logging is something people using normal ISPs don't need to worry about, but feeding all your data into a profit-driven company is.

LoganDark•about 1 hour ago

> something people using normal ISPs don't need to worry about

It doesn't matter which ISP you're using if the cables are tapped, which they pretty much are.

UqWBcuFx6NV4r•8 minutes ago

Please don’t be intentionally tone-deaf. “a nation-state can track my shit therefore it’s not with doing” is a silly, silly, silly approach to security, and does not speak to the concerns of the vast majority of even privacy-focused people.

elp•about 2 hours ago

My, admittedly cynical, view of it is that the main selling point is that you share your data with the person running the ODoH server.

The truth is that very very few people run their own recursive nameserver. The entirely reasonable assumption for any authoritative nameserver, like .com, is that the query is being asked on behalf of someone else and knowing that a user of your nameserver asked for the ip of sexysheep.com doesn't give them a lot of useful info.

I'm think many ISPs actually sell a lot of data from their recursive nameservers, but I'm willing to bet that almost no-one bothers to sniff port 53 udp traffic going elsewhere.

My vote for the best privacy option is always going to be just run pi-hole with your own recursive nameservers.

rdme•about 1 hour ago

The relay sees IP + ciphertext, the target sees question + relay's IP. No single party gets both

petcat•about 1 hour ago

What if the relay and target are being operated by the same provider? The relay controls where the question is sent right? They can collude?

petcat•about 1 hour ago

> your own recursive nameserver

But then the internet can know that you are the one using your own resolvers and so they can trivially identify your traffic.

Really you need to use some public resolver with a critical mass of other users in order to have any hope for anonymity. But then of course you have to trust that resolver too.

fc417fc802•about 2 hours ago

I'd think that if you've got several leaks then patching one up is still forward progress even if it doesn't deliver a full fix immediately.

rdme•about 2 hours ago

They solve different things. ODoH hides your question, not who you're talking to.

fc417fc802•about 2 hours ago

Sure ODoH hides your query but you then turn around and leak the question you just asked as part of the TLS handshake.

rdme•about 1 hour ago

I agree with you, however that's a separate problem that needs to be solved

gigatexal•about 2 hours ago

What would it take to get truly anonymous dns? I guess it’s not really possible no?

jeroenhd•about 1 hour ago

You wrap the DNS request in a different layer of encryption than the relay server, so the relay server only knows you tried to resolve something, and the DNS server only knows someone tried to resolve a particular domain. That's how ODoH works.

To make it harder for parties to collude, you need additional encrypted hops, the way Tor does. ODoH doesn't do that, unless you're routing ODoH through Tor of course.

You would also need some kind of proof that the DNS records returned by the resolving DNS server haven't been tampered with, or a tracking DNS server could direct you to one of their IP addresses and proxy the request transparently. Unfortunately, the best solution we have for that is DNSSEC which is a very 90s take on DNS validation. It works fine if you don't abuse DNS in weird ways, but it's due for a redesign.

fc417fc802•about 2 hours ago

Why not? Cloudflare makes 1.1.1.1 available over tor although the latency is through the roof and you still need to consider the possibility of fingerprinting the client network stack.

rdme•about 3 hours ago

The relay is a systemd unit on a VPS, Caddy for TLS, SSRF-hardened (regex-strict hostnames, no IP literals). eTLD+1 same-operator check rejects relay+target run by the same org by default. HPKE is odoh-rs from Cloudflare

``` cargo install numa

# set mode = "odoh" in numa.toml ```

Repo: https://github.com/razvandimescu/numa