The developer behind Numa has launched the second public ODoH relay, providing a self-hosted, account-free solution for anonymous DNS resolution through Oblivious DNS over HTTPS (ODoH, RFC 9230). Traditional DNS setups expose the user's IP to authoritative nameservers, while existing privacy solutions often require accounts or platform lock-in, such as Apple's iCloud Private Relay. ODoH addresses this by splitting the path, ensuring that the ingress relay sees the user's IP but not the query, and the egress target sees the query but not the user's IP.

Numa v0.14 bundles the ODoH client and relay functionality into a single Rust binary. The system relies on cryptographic primitives like HPKE (RFC 9180) for secure communication between independent operators. A core privacy requirement is that the relay and the target resolver must not be run by the same organization, which Numa enforces by rejecting same-operator configurations by default based on the eTLD+1.

Deploying the relay involved mitigating security risks, specifically SSRF via a hardened hostname validator to prevent malicious forwarding. The default configuration pairs the Numa relay with odoh.cloudflare-dns.com, establishing a path between two distinct operators. While ODoH successfully moves trust by anonymizing the source IP, it does not eliminate trust entirely, as the target resolver can still log the decrypted query content.