Show HN: Running the second public ODoH relay

Pretty cool to see someone actually running public ODoH infra instead of just talking about privacy in theory. I'm just wondering what the biggest operational pain has been so far running a public relay.

anyone know how the diagram was made? pretty cool.

To me this feels like turtles all the way down. Ultimately who owns and controls the layer-4 proxies and DoH servers matters and can easily get into turtle arguments. Who controls the certs controls the mathematical obfuscation (encryption) also matters. Pieces of the puzzle can be shared and recombined at any time.Me personally, I will stick with running my own DoH servers and thus I need not run any turtles (layer 4 proxies) in the middle of my already encrypted connections. Anyone running Unbound DNS can enable DoH if Unbound was built including '--with-libnghttp2' which the Alpine Linux version has. At the moment my browser is talking to Unbound over DoH on my local network so I get the advantages of ECN but I can easily switch it to any server where I have installed Unbound. Ultimately DNS at some point will be unencrypted UDP port 53 so I would rather it be me that determines where that happens so I can optimize my own cache and pre-cache cron jobs to mask my DNS behavior, but that's just me. Others can do whatever they want, as they should. The people that operate my ISP are bigger deviants than I and they know that I know that they know that I know this.Oh and as a funny side note, I can warm up cache on entirely unrelated nodes and then transfer the cache export to any node and keep it valid on that node as long as I wish making the vast majority of my DNS requests respond in less than 700 nanoseconds not that I am in any hurry. unbound-control dump_cache | bzip -9c > /dev/shm/dump_node_1045.txt.bz2

I can then bring those cache dumps in from any node to my home network making DNS resolution entirely invisible. Automation is only limited to ones imagination. Or AI's imagination. I personally find it beneficial to listen to Pure Imagination from Willy Wonka & The Chocolate Factory (1971) RIP Gene Wilder

What is the end-game for the private TLD? Is this going to turn into some cryptocurrency thing?

[dead]

[flagged]

[dead]

What would it take to get truly anonymous dns? I guess it’s not really possible no?

What’s the selling point of ODoH given the low uptake of ECH which means the name of the server you’re talking to is given away anyway?

The relay is a systemd unit on a VPS, Caddy for TLS, SSRF-hardened (regex-strict hostnames, no IP literals). eTLD+1 same-operator check rejects relay+target run by the same org by default. HPKE is odoh-rs from Cloudflare```
cargo install numa# set mode = "odoh" in numa.toml
```Repo: https://github.com/razvandimescu/numa