Razvan Dimescu launched the second public ODoH (Oblivious DNS over HTTPS) relay on May 14, 2026, addressing a critical infrastructure gap in privacy-focused DNS services. The announcement on Hacker News received 84 points and 25 comments, highlighting community interest in account-free DNS privacy solutions.
ODoH Splits DNS Query Path Between Independent Operators
Oblivious DNS over HTTPS (RFC 9230) solves a fundamental privacy problem in DNS: traditional setups require either trusting a single resolver with both IP address and query content, or using services that require account creation. ODoH splits this trust between two independent operators.
The relay operator sees the client's IP address but receives only encrypted queries that cannot be decrypted. The target resolver sees decrypted DNS questions but receives them through the relay, never learning the client's IP address. Encryption uses HPKE (RFC 9180), with Cloudflare's audited odoh-rs crate handling cryptographic operations.
Dimescu notes that "DoH and DoT encrypt the transport; they don't change who learns what," emphasizing that encryption alone doesn't solve the metadata problem.
Technical Implementation Built Into Numa DNS Resolver
The relay runs as part of Numa, an open-source DNS resolver released under MIT license. The implementation includes:
- Separate binary mode:
numa relay [PORT] - Only two exposed endpoints:
POST /relayandGET /health - SSRF-hardened hostname validation compliant with RFC 1035
- eTLD+1 same-operator check preventing single entities from controlling both relay and target
- Default configuration pairing odoh-relay.numa.rs with odoh.cloudflare-dns.com
- Deployment as systemd unit on Hetzner infrastructure with Caddy providing TLS termination
The default configuration ensures two independent organizations without shared domain ownership, preventing single-point-of-trust scenarios.
Known Limitations and Ecosystem Context
The implementation carries several documented limitations. Targets can still log queries—the protection is operational rather than cryptographic. Traffic analysis remains possible with small relay volumes. HPKE configuration distribution depends on centralized WebPKI. Recursive DNS resolution beyond the target remains plaintext. Each query incurs a 50-100ms latency penalty.
RFC 9230 remains experimental and is not endorsed by the IETF. Before this launch, Frank Denis's relay on Fastly Compute was the primary public option, set as default in dnscrypt-proxy. Target deployments are limited—Cloudflare's odoh.cloudflare-dns.com serves as the practical option for general use, with PCCW, SURF, and Equinix running launch proxies.
The project addresses documented ecosystem thinness, providing a second independent relay operator for users seeking DNS privacy without account requirements.
Key Takeaways
- ODoH (RFC 9230) splits DNS query paths between relay operators who see IP addresses and target resolvers who see queries, preventing either from having complete user information
- Razvan Dimescu's relay at odoh-relay.numa.rs is only the second well-known public ODoH relay, joining Frank Denis's Fastly Compute deployment
- The implementation uses Cloudflare's audited odoh-rs crate for HPKE encryption and includes SSRF hardening with eTLD+1 same-operator checks
- Each query adds 50-100ms latency, and traffic analysis remains possible with low relay volumes
- The Numa DNS resolver is open source under MIT license and available at github.com/razvandimescu/numa