Earlier today, Cloudflare announced support for ODoH, a new protocol that (somewhat) solves the problem of having to place significant trust in your DoH provider. The solution involves leveraging a proxy to pass on your request in such a manner that the proxy doesn’t know what your request is, and the DNS resolver doesn’t know who you are. The solution is not perfect - if the proxy and the resolver collude, you’re back at where you started. However, with lower latency than DNS-over-HTTPS-over-Tor, and with (probably) more privacy than standard DNS-over-HTTPS, it might be a sweet-spot for some users. If you’re into this sort of tech, the blog post linked above is very interesting on the protocol and tradeoffs involved.
To test this:
- Clone the odoh-client-go repo
- Change the default proxy mode to HTTPS in common.go
go build -o odoh-client ./cmd/...
./odoh-client odoh --domain i.argh.in. --dnstype A --target odoh.cloudflare-dns.com --proxy doh.li
You should hopefully see something like:
$ ./odoh-client odoh --domain i.argh.in. --dnstype A --target odoh.cloudflare-dns.com --proxy doh.li ;; opcode: QUERY, status: NOERROR, id: 52470 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;i.argh.in. IN A ;; ANSWER SECTION: i.argh.in. 8245 IN A 188.8.131.52
As far as I’m aware there are no commonly used clients that support ODoH at the moment, but I will update the instructions on doh.li should that change.