TL;DR
Numa has launched the second public ODoH relay, increasing privacy options for users seeking anonymous DNS queries. The relay is operational, and the ecosystem is expanding, but some limitations remain.
Numa has launched the second publicly accessible ODoH relay, expanding options for users seeking anonymous DNS resolution without relying on account-based services.
The relay, hosted at odoh-relay.numa.rs, is operational and runs in a Docker environment on a Hetzner VPS, with Caddy managing TLS encryption. It is paired with the well-known public relay at odoh.cloudflare-dns.com, both operated independently to ensure privacy guarantees. The relay enforces strict hostname validation and operator separation to prevent collusion, adhering to RFC 1035 standards and eTLD+1 rules. The deployment includes a custom Rust binary that combines an ODoH client, relay, and health check endpoint, simplifying self-hosting for privacy-conscious users. While the relay enhances privacy by encrypting DNS queries and hiding IP addresses from authoritative servers, it does not eliminate all privacy risks, such as traffic analysis or centralized key distribution. The ecosystem now has two public relays, with ongoing monitoring of their performance and security postures.
Why It Matters
This development matters because it provides self-hosted users with a privacy-preserving DNS option that does not require accounts or platform lock-in. It advances the adoption of ODoH, a protocol designed to prevent DNS query correlation and IP-based tracking, thus supporting stronger privacy guarantees in DNS resolution. The deployment of a second relay also indicates growing ecosystem support and potential for broader adoption, which could influence privacy practices across the internet.
Docker server for DNS relay
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
Prior to this, the privacy-focused DNS ecosystem was limited, with only a few relays such as Cloudflare’s odoh-relay.edgecompute.app. ODoH (RFC 9230) is an IETF protocol that encrypts DNS queries between client and target, preventing relays and authoritative servers from seeing both IP and query data simultaneously. Numa’s previous work included a client and relay, but this marks the first time a second public relay has been deployed for broader ecosystem resilience. The relay’s design emphasizes operator independence and strict validation to prevent collusion, aligning with privacy principles. The ecosystem’s growth reflects increasing interest in decentralized, cryptographically protected DNS privacy solutions.
“The second public relay is a step toward more resilient, privacy-preserving DNS infrastructure that users can host themselves.”
— Numa developer
“Deploying multiple relays operated by independent entities helps mitigate traffic analysis risks and enhances overall privacy guarantees.”
— DNS privacy researcher
privacy-focused DNS over HTTPS client
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It is still unclear how the new relay will perform under real-world traffic conditions or how widely it will be adopted. The cryptographic protections do not prevent all forms of traffic analysis or correlation attacks. The centralized distribution of target keys remains a potential vulnerability, and operational security depends on operator practices. Additionally, the ecosystem is still evolving, and the long-term sustainability of these relays is uncertain.
self-hosted DNS relay setup
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Next steps include monitoring the relay’s performance, expanding the ecosystem with more independent relays, and potentially developing mechanisms for decentralized key distribution. Community feedback and usage data will inform improvements. Further, integration with popular DNS clients and tools will likely increase adoption. Ongoing efforts aim to enhance cryptographic protections and operational security to strengthen privacy guarantees.
Rust-based DNS privacy tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is an ODoH relay and why is it important?
An ODoH relay is a server that facilitates encrypted DNS queries, preventing relays and authoritative servers from seeing both the IP address and query content simultaneously. It enhances user privacy by decoupling identity from DNS requests.
How does the new relay differ from existing options?
The new relay, operated by Numa, is the second public deployment and is designed with strict validation and operator independence to prevent collusion. It is compatible with existing clients and paired with a well-known public relay at Cloudflare, providing redundancy and increased privacy options.
Can I run this relay myself?
Yes, the relay is distributed as a single Rust binary that can be self-hosted in environments like Docker. Instructions and configuration details are available for those interested in deploying their own relay.
Does using this relay guarantee complete privacy?
While it encrypts DNS queries and hides IP addresses from relays and authoritative servers, it does not prevent traffic analysis or timing attacks. Privacy depends on operational security, relay volume, and ecosystem diversity.
