Numa v0.14 Launches Self-Hosted ODoH Relay

Numa’s latest release, version 0.14, introduces a self-hosted Oblivious DNS over HTTPS (ODoH) relay, bundled with its client in a single Rust binary. This development places Numa alongside Frank Denis’s Fastly-hosted relay as one of only two publicly known ODoH relay operators. The significance lies in its architecture: it cleanly separates query routing so the relay sees the client’s IP address but only encrypted DNS queries, while the Cloudflare target decrypts the DNS questions without ever learning the client’s identity. This design aligns tightly with RFC 9230’s privacy goals, offering anonymous DNS resolution without requiring user accounts. From an engineering standpoint, Numa v0.14 incorporates robust safeguards to mitigate common relay vulnerabilities. A strict hostname validator thwarts server-side request forgery (SSRF) attempts aimed at cloud metadata endpoints, a frequent attack vector in relay services. Additionally, an eTLD+1 same-operator check enforces the critical independence between relay and target operators during configuration, reducing risks of collusion or data correlation. While these measures strengthen the relay’s security posture, the architecture still concedes that the DNS target can log queries and that traffic analysis risks persist, underscoring the need for cautious deployment and ongoing scrutiny.

How Numa Implements Privacy and Security

Numa v0.14 introduces its self-hosted Oblivious DNS over HTTPS (ODoH) relay as a unified Rust binary combining client and relay functionality. This design choice streamlines deployment while maintaining strict separation of roles mandated by RFC 9230. The relay acts as an intermediary that receives DNS queries encrypted by the client. It sees the client’s IP address but only the ciphertext of the DNS request, never the plaintext content. Conversely, the Cloudflare target endpoint decrypts the queries to resolve them but remains blind to the client’s IP, preserving user anonymity. Key engineering safeguards underpin this privacy architecture. The relay incorporates a server-side request forgery (SSRF) hardened hostname validator. This prevents attackers from exploiting the relay to access internal cloud metadata services or other sensitive endpoints, a common vector in proxy abuse scenarios. Additionally, the relay enforces an eTLD+1 same-operator check during configuration. This mechanism ensures the relay and target services are operated by distinct entities, a critical requirement to avoid collusion that could compromise anonymity. Despite these measures, the developers acknowledge residual risks. The target resolver still receives every decrypted query and could log or analyze this data. Traffic analysis remains a theoretical concern since network observers might correlate timing or volume patterns. The relay’s self-hosted nature reduces reliance on third-party infrastructure but places responsibility for security updates and monitoring squarely on the operator. Overall, Numa’s implementation balances practical deployment with adherence to ODoH’s privacy model, yet it does not eliminate all vectors for data exposure inherent in DNS resolution.

Remaining Risks and Trust Considerations

The introduction of Numa’s self-hosted ODoH relay marks a notable advance, yet several nuanced risks linger beneath the surface. Most critically, the relay-target separation mandated by RFC 9230 hinges on strict operational independence, which Numa enforces via an eTLD+1 check. However, this domain-based heuristic, while pragmatic, is not foolproof. Subtle misconfigurations or shared infrastructure beyond domain boundaries could inadvertently enable correlation attacks, undermining the privacy guarantees. The relay’s visibility of client IPs—though it only sees encrypted queries—also presents a vector for traffic analysis. Sophisticated adversaries with network vantage points might still infer user behavior patterns or timing correlations, especially if relay deployment scales unevenly or lacks geographic diversity. Moreover, the target resolver’s ability to log decrypted queries remains an inherent trust bottleneck. Even if the relay is uncompromised, a malicious or subpoenaed target can collect sensitive DNS records, potentially revealing browsing habits. Numa’s design does not mitigate this endpoint risk, reflecting a broader challenge in ODoH architectures: the privacy gain is partial and depends heavily on trustworthy target operators. The SSRF protections embedded in the hostname validator reduce the attack surface but cannot eliminate risks from zero-day vulnerabilities or misused relay privileges that might expose internal metadata services. Finally, operational complexity introduces subtle pitfalls. Running a self-hosted relay demands careful configuration and ongoing security maintenance. Errors in TLS certificate management, relay-target pairing, or software updates could expose users to downgrade attacks or traffic leakage. While Numa’s Rust implementation offers memory safety and a compact codebase, it is still early-stage software with limited real-world deployment data. This leaves open questions about resilience under load, resistance to denial-of-service attempts, and the practical overhead of maintaining truly independent relay and target infrastructures. In sum, Numa v0.14’s ODoH relay embodies a thoughtful engineering effort but cannot fully escape the inherent trade-offs and trust assumptions baked into the ODoH model. Its privacy gains are meaningful but conditional—dependent on rigorous operational discipline, vigilant threat modeling, and acceptance of residual risks that persist even in well-architected deployments.

What This Means for Private DNS Deployment

For organizations and individuals seeking to enhance DNS privacy, Numa v0.14’s self-hosted ODoH relay offers a compelling option that balances control with confidentiality. By running the relay in-house, operators can reduce dependence on third-party infrastructure, mitigating risks associated with external data exposure and centralized trust. The Rust-based binary simplifies deployment, making it accessible without deep system integration. However, this approach is not a silver bullet. The relay only obscures the link between client IPs and DNS queries; the target resolver still sees decrypted queries and can log or analyze them. This means operators must carefully select trustworthy target resolvers or consider additional layers of privacy protection. Moreover, despite engineering safeguards like SSRF protections and operator independence checks, subtle traffic analysis and metadata correlation remain potential attack vectors. Practically, deploying Numa’s ODoH relay demands a nuanced understanding of the privacy guarantees it offers and the residual risks it leaves intact. It is best suited for environments where control over query routing is paramount and where the threat model acknowledges that some data points remain exposed downstream. For casual users, relying solely on self-hosted ODoH may provide a false sense of complete privacy. Numa’s release nudges private DNS deployment toward more decentralized models but underscores the ongoing challenge: true privacy requires vigilance not just in technology choice, but in configuration, operational discipline, and trust assumptions beyond the relay itself.
Ссылка на первоисточник
Ethan Clarke
Article author
Ethan Clarke
Technical Engineer | Innovating Practical Solutions

Ethan is a 25-year-old technical engineer passionate about bridging complex technology with everyday applications. He writes clear, insightful pieces that demystify engineering challenges and highlight emerging tech trends.

More articles by the author