Numa deploys second public ODoH relay to bolster anonymous DNS infrastructure

Numa has deployed its second public Oblivious DNS over HTTPS (ODoH) relay, expanding the available infrastructure for users seeking to decouple their identity from their DNS queries. The release, included in the Numa v0.14 update, provides an MIT-licensed binary that functions as both an ODoH client and a relay server. This deployment allows users to route DNS traffic through two independent operators without the need for user accounts or telemetry, offering a distinct alternative to services such as Apple Private Relay, NextDNS, and Cloudflare Families.

The initiative addresses a specific gap in the privacy market where existing anonymous DNS solutions typically require account registration or platform-specific lock-in. While protocols like DoH and DoT encrypt the transport layer, they do not inherently anonymise the relationship between the user and the operator. ODoH, standardised under IETF RFC 9230, is designed to split user identity from query data across two separate entities. The new Numa relay, hosted at odoh-relay.numa.rs, is configured to pair with odoh.cloudflare-dns.com, ensuring that the ingress and egress points are operated by distinct organisations.

Security measures were a primary focus during the development of the relay component. The implementation includes an SSRF-hardened hostname validator that rejects IP literals, internationalised domain names, and non-standard ports to prevent malicious clients from exploiting the relay for server-side request forgery. Additionally, the system enforces an eTLD+1 same-operator check by default, rejecting configurations where the relay and upstream target share the same effective top-level domain plus one suffix. This check is critical to maintaining the protocol’s privacy guarantees, as a single operator controlling both legs of the connection could link IP addresses to specific queries.

The deployment runs on a Hetzner VPS with TLS termination handled by Caddy. The Numa v0.14 binary utilises HPKE (RFC 9180) for encryption, leveraging the odoh-rs library for seal and open operations. The project provides a Docker Compose recipe for straightforward deployment and a probe script to test the broader public ODoH ecosystem. This release follows the work of Frank Denis, who operates the first well-known public ODoH relay at odoh-relay.edgecompute.app on Fastly Compute, which remains the default in the widely used dnscrypt-proxy client.

Numa describes the project as infrastructure maintenance rather than a commercial product, aiming to support self-hosted audiences who previously lacked anonymous DNS options without account requirements. The software supports recursive resolution, DNSSEC, ad blocking, and includes a REST API and live dashboard. By providing a single binary that can be flipped between client and relay modes, Numa lowers the barrier for other operators to stand up their own relays, thereby increasing the diversity of the anonymous DNS ecosystem.