Romanian developer Razvan Dimescu released Numa v0.14, a single Rust binary that combines an ODoH (Oblivious DNS over HTTPS) client and relay. This release is the second public deployment of the IETF-standardized protocol (RFC 9230), enabling users to anonymize DNS queries without requiring an account, telemetry, or platform lock-in like Apple’s iCloud Private Relay.
ODoH splits the DNS query path into two disjoint legs: an ingress relay sees the user’s IP address but not the query, while an egress target (e.g., Cloudflare) sees the query but not the IP. This design mirrors Apple’s iCloud Private Relay but removes its $0.99/month subscription requirement and platform restrictions (iOS/macOS only). Numa’s implementation uses HPKE (RFC 9180) for encryption, the same primitive as TLS Encrypted ClientHello, ensuring no custom crypto is introduced.
The binary ships with a default configuration pairing Numa’s relay (`odoh-relay.numa.rs`) with Cloudflare’s target (`odoh.cloudflare-dns.com`), ensuring the two operators are independent and share no eTLD+1 domain. This prevents a single entity from correlating IP and query. The relay runs in Docker Compose on a Hetzner VPS, with Caddy handling TLS termination. A probe script (`tests/probe-odoh-ecosystem.sh`) verifies the entire public ecosystem’s integrity in one command.
Numa’s relay includes two critical security safeguards. First, an SSRF-hardened hostname validator restricts outbound connections to RFC 1035-compliant ASCII labels, blocking IP literals (e.g., `169.254.169.254`) that could exfiltrate cloud metadata. Second, an eTLD+1 same-operator check rejects configurations where relay and target share a root domain, preserving the protocol’s privacy guarantees. Both checks are enabled by default but can be overridden for intentional same-operator setups.
The project adheres to a ‘no DNS libraries’ principle, relying instead on Cloudflare’s audited `odoh-rs` crate for HPKE operations. Dimescu emphasized that hand-rolling crypto introduces audit risks, noting, ‘Every hour of ‘I want full control’ buys ten of audit anxiety.’ The client mode integrates into Numa’s existing forwarding pipeline alongside UDP, DoH, and DoT transports, while the relay exposes only `POST /relay` and `GET /health` endpoints.
ODoH’s privacy model moves trust rather than eliminating it. While the target (e.g., Cloudflare) cannot see the user’s IP, it still receives the decrypted query and could log it. The protection is operational: queries are unattributed, preventing correlation with user identities. This limitation contrasts with recursive resolvers like Unbound, where every authoritative nameserver (e.g., `.com`, `google.com`) sees the user’s IP, exposing browsing patterns to multiple parties.
Existing privacy-focused DNS services, such as NextDNS, Cloudflare for Families, and Quad9, require user accounts, telemetry, or both, creating friction for self-hosted deployments. Apple’s iCloud Private Relay offers similar IP-query separation but is limited to Apple devices and curated egress partners. Numa’s solution targets the self-hosted audience, providing a MIT-licensed binary with a default configuration that works out of the box, requiring no additional setup.
The relay’s deployment on a Hetzner VPS underscores its lightweight requirements. Docker Compose orchestrates the service, with Caddy managing TLS termination. The probe script automates ecosystem validation, ensuring public relays and targets remain independent. Dimescu’s post highlights that while ODoH improves privacy, it does not address all DNS-related threats, such as recursive mode leaks or the target’s ability to log queries, framing the project as a step toward broader anonymity tools.