For years, ODoH (Oblivious DNS-over-HTTPS) has had a chicken-and-egg problem: it's the one privacy DNS protocol that doesn't need an account, but in practice there was basically *one* well-known public relay — Frank Denis's, the default in
For years, ODoH (Oblivious DNS-over-HTTPS) has had a chicken-and-egg problem: it's the one privacy DNS protocol that doesn't need an account, but in practice there was basically *one* well-known public relay — Frank Denis's, the default in dnscrypt-proxy. One relay is not really a network. It's a single point of trust and a single point of failure.
Now there's a second. A developer at numa.rs has stood up a public ODoH relay and shipped a client to talk to it ([source](https://numa.rs/blog/posts/odoh-anonymous-dns-without-an-account.html)). The whole point of ODoH is separation of concerns: the relay sees your IP but not your query, the resolver sees your query but not your IP. That guarantee only holds if the relay and resolver are run by different people. Two operators is the bare minimum for that to mean anything.
Compare this to the alternatives. NextDNS wants an account. Cloudflare for Families wants you inside their ecosystem. iCloud Private Relay is paid, Apple-only, and not really DNS. ODoH is the only mainstream option where you can get unlinkable DNS without handing over an identity — and it's been quietly under-deployed because nobody was running the infrastructure.
My take: if you care about DNS privacy, point dnscrypt-proxy at a relay/resolver pair where the two are run by different orgs, and rotate. And if you run infra, ODoH relays are cheap to host and genuinely useful — we need ten more of these, not two.