HN Showcase
Back to browse
Running the second public ODoH relay

Running the second public ODoH relay

by rdme·May 14, 2026·125 points·41 comments
Visit ProjectView on HN

AI Analysis

●●SolidNiche GemShip It

Second public ODoH relay in the wild, solving the single-operator trust bottleneck.

Strengths
  • Splits DNS path so ingress sees IP but not query, egress sees query but not IP.
  • Single Rust binary handles both client forwarding and relay modes without accounts.
  • Uses audited odoh-rs and rustls crates instead of hand-rolling crypto primitives.
Weaknesses
  • Relies on trust that the relay operator and target resolver do not collude.
  • Niche protocol adoption means few public relays exist compared to standard DoH.
Category
Security
Target Audience

Privacy-conscious self-hosters and network administrators

Similar To

Cloudflare ODoH · dnscrypt-proxy · Apple iCloud Private Relay

Post Description

Every privacy-focused DNS service requires an account: NextDNS, Cloudflare for Families, Apple's iCloud Private Relay (paid, iOS-only). The protocol that doesn’t require one - ODoH - had basically one well-known public relay operator (Frank Denis on Fastly Compute, default in dnscrypt-proxy). I built a second one and the client to talk to it.

Similar Projects

Security●●Solid

Goshs – Single-binary server for red teamers: HTTP/S,SMB,NTLM,DNS/SMTP

One binary replaces impacket, responder, and SimpleHTTPServer for mid-engagement ops.

Solve My ProblemNiche Gem
patrickhener
301mo ago