A second public relay for Oblivious DNS over HTTPS (ODoH) has gone live, giving privacy-focused internet users another server to route DNS queries without logging into an account. While services like NextDNS and Apple’s iCloud Private Relay require sign-ups to mask DNS requests, ODoH’s architecture lets users route queries through two distinct servers—one handling the query and another oblivious to the actual request—without needing to create an account.
The project emerged from a gap in ODoH’s public infrastructure. Until now, most users relied on a single well-known relay operated by Frank Denis on Fastly’s Compute platform, which is also the default option in the widely used dnscrypt-proxy client. A new relay now joins this ecosystem, designed to distribute traffic and reduce dependency on a single point of failure.
How ODoH’s privacy model works
ODoH splits DNS requests into two parts: the query itself and the oblivious portion that hides the request’s origin or destination. When a user’s device sends a DNS query through an ODoH client, the request is encrypted and routed first to a target relay—which decrypts the query—and then forwarded to a privacy relay—which adds a layer of encryption before sending it to the authoritative DNS server. This dual-hop process prevents both relays from seeing the full request, preserving user anonymity.
The new relay follows this same model but introduces additional capacity to the network. Unlike traditional DNS services that require user accounts to track activity or enforce policies, ODoH relays operate without logging identifiable user data, aligning with the protocol’s commitment to minimal data retention.
Technical details of the new relay
The relay runs on open-source software and is configured to handle high volumes of traffic while maintaining low latency. Its operator has set up monitoring to track performance metrics such as request throughput and error rates, ensuring stability during peak usage. The client software, designed to interface with this relay, supports configuration via command-line arguments or configuration files, allowing users to customize their DNS resolution paths.
# Example client configuration to use the new ODoH relay
odoo-client --target-relay \
--privacy-relay \
--proxy Users can integrate the relay into existing setups by updating their DNS resolver configurations. The setup process involves pointing the device or application’s DNS settings to an ODoH-compatible client, which then manages the two-hop routing automatically.
Why decentralization matters for ODoH
The addition of a second public relay addresses a longstanding concern in the ODoH ecosystem: reliance on a single infrastructure provider. While Fastly’s relay remains operational and reliable, diversifying the relay network reduces the risk of service disruption and improves resilience against potential outages or policy changes. This shift also encourages broader adoption by offering users more choices in selecting relays based on geographic location or performance preferences.
Privacy advocates have welcomed the development, noting that ODoH’s design inherently limits the exposure of user data compared to traditional DNS services. By eliminating the need for account creation, ODoH relays avoid collecting personally identifiable information, a common practice among DNS providers that store user histories for analytics or compliance.
As ODoH gains traction, more relays are expected to come online, further decentralizing the infrastructure and reinforcing the protocol’s commitment to privacy. Developers interested in contributing to the project or setting up their own relays can access the open-source code repositories and documentation to participate in the ecosystem’s growth.
The future of ODoH will likely hinge on community adoption and the expansion of relay networks. With two public relays now operational, the protocol is better positioned to compete with account-based privacy DNS services while maintaining its core principle: enabling private DNS resolution without sacrificing usability.
AI summary
Geleneksel DNS hizmetlerinden farklı olarak hesap gerektirmeyen ODoH protokolü için ikinci halka açık aktarım sunucusu hayata geçirildi. Bu yenilik gizlilik korumalarını nasıl güçlendirecek?
