May 14, 2026
Private DNS, public meltdown
Show HN: Running the second public ODoH relay
A tiny privacy project drops, and the comments instantly spiral into trust issues and turtle jokes
TLDR: A developer launched a rare public tool that hides your web lookups from being tied directly to your identity, pitching it as a privacy option without Apple lock-in or paid accounts. The comments immediately split between intrigued and deeply suspicious, with people asking whether this solves anything at all or just adds another layer of trust.
A developer just launched what they say is only the second public relay for a privacy-friendly way to send internet address lookups without one company seeing both who you are and what site you’re asking for. In plain English: it tries to stop your internet helper from knowing everything about you in one place. The creator says it avoids the usual traps of Apple-only features, paid subscriptions, and account-based services, and built in guardrails so the relay can’t be abused as a creepy backdoor tool.
But the real fireworks were in the comments, where the crowd immediately turned this from a neat launch into a full-on trust crisis. One camp basically asked, “Cool, but who are we trusting now?” That vibe peaked with Bender’s wonderfully gloomy “turtles all the way down” take: if someone controls the middlemen, the promises can always be rearranged. Another commenter bluntly questioned the whole point, saying if the name of the server still leaks elsewhere, is this just privacy theater with extra steps?
Then came the existential dread. One user asked what it would take to get truly anonymous DNS, only to answer themselves with a shrugging “probably impossible.” And because no internet discussion is complete without a wild left turn, someone saw “private TLD” and immediately asked if this was somehow about crypto. So yes: a niche privacy tool arrived, and the comments responded with skepticism, philosophy, and just enough paranoia to keep things spicy.
Key Points
- •The article presents ODoH as a DNS privacy protocol that separates the client IP address from the DNS query by using distinct relay and target roles.
- •Numa v0.14 adds ODoH support as both a client transport and a relay mode, and the author deployed a public relay as part of the release.
- •The implementation uses HPKE and Cloudflare’s `odoh-rs` library to encrypt queries and responses so the relay sees ciphertext only.
- •The relay includes SSRF protections and an eTLD+1 same-operator check to reduce abuse and preserve the privacy assumptions of ODoH.
- •The article says ODoH does not prevent the target from seeing or logging queries, does not protect traffic beyond a recursive target, and can still be vulnerable to traffic analysis on small relays.