Numa v0.14 ships an ODoH (RFC 9230) client and relay in one MIT-licensed Rust binary, adding a second public relay to a near-empty ecosystem.
Key Takeaways
DoH/DoT encrypt transport but don’t hide queries from the resolver; ODoH splits IP visibility from query visibility across two independent operators using HPKE (RFC 9180).
The relay (numa relay [PORT]) is SSRF-hardened with a regex-strict hostname validator blocking IP literals, non-443 ports, and IDN; same-eTLD+1 operator pairs are rejected by default.
Default config pairs odoh-relay.numa.rs (Hetzner VPS, Caddy, systemd) with odoh.cloudflare-dns.com – two independent operators out of the box, no account required.
Key limits: the target (Cloudflare) still sees the question unattributed; small relays are vulnerable to traffic-analysis re-identification; HPKE pubkey distribution relies on WebPKI trust.
cargo install numa + mode = "odoh" in numa.toml is the full setup; a docker-compose recipe ships preconfigured.
