Show HN: Running the second public ODoH relay(numa.rs)
33 pointsby rdme2 hours ago4 comments
  • cedws42 minutes ago
    What’s the selling point of ODoH given the low uptake of ECH which means the name of the server you’re talking to is given away anyway?
    • elp5 minutes ago
      My, admittedly cynical, view of it is that the main selling point is that you share your data with the person running the ODoH server.

      The truth is that very very few people run their own recursive nameserver. The entirely reasonable assumption for any authoritative nameserver, like .com, is that the query is being asked on behalf of someone else and knowing that a user of your nameserver asked for the ip of sexysheep.com doesn't give them a lot of useful info.

      I'm think many ISPs actually sell a lot of data from their recursive nameservers, but I'm willing to bet that almost no-one bothers to sniff port 53 udp traffic going elsewhere.

      My vote for the best privacy option is always going to be just run pi-hole with your own recursive nameservers.

      • petcata few seconds ago
        > your own recursive nameserver

        But then the internet can know that you are the one using your own nameservers and so they can trivially identify your traffic.

        Really you need to use some public resolver with a critical mass of other users in order to have any hope for anonymity. But then of course you have to trust that resolver too.

    • fc417fc80239 minutes ago
      I'd think that if you've got several leaks then patching one up is still forward progress even if it doesn't deliver a full fix immediately.
    • rdme33 minutes ago
      They solve different things. ODoH hides your question, not who you're talking to.
      • fc417fc80215 minutes ago
        Sure ODoH hides your query but you then turn around and leak the question you just asked as part of the TLS handshake.
  • gigatexal21 minutes ago
    What would it take to get truly anonymous dns? I guess it’s not really possible no?
    • fc417fc80218 minutes ago
      Why not? Cloudflare makes 1.1.1.1 available over tor although the latency is through the roof and you still need to consider the possibility of fingerprinting the client network stack.
  • petcat9 minutes ago
    [dead]
  • rdmean hour ago
    The relay is a systemd unit on a VPS, Caddy for TLS, SSRF-hardened (regex-strict hostnames, no IP literals). eTLD+1 same-operator check rejects relay+target run by the same org by default. HPKE is odoh-rs from Cloudflare

    ``` cargo install numa

    # set mode = "odoh" in numa.toml ```

    Repo: https://github.com/razvandimescu/numa