Earlier today, Cloudflare announced support for ODoH, a new protocol that (somewhat) solves the problem of having to place significant trust in your DoH provider. The solution involves leveraging a proxy to pass on your request in such a manner that the proxy doesn’t know what your request is, and the DNS resolver doesn’t know who you are. The solution is not perfect - if the proxy and the resolver collude, you’re back at where you started. However, with lower latency than DNS-over-HTTPS-over-Tor, and with (probably) more privacy than standard DNS-over-HTTPS, it might be a sweet-spot for some users. If you’re into this sort of tech, the blog post linked above is very interesting on the protocol and tradeoffs involved.
In any case, the DoH service I run at doh.li now also supports ODoH proxying, reverse proxying a stripped-down version of Chris Wood’s odoh-server.
To test this:
- Clone the odoh-client-go repo
- Change the default proxy mode to HTTPS in common.go
- Run
go build -o odoh-client ./cmd/... - Run
./odoh-client odoh --domain i.argh.in. --dnstype A --target odoh.cloudflare-dns.com --proxy doh.li
You should hopefully see something like:
$ ./odoh-client odoh --domain i.argh.in. --dnstype A --target odoh.cloudflare-dns.com --proxy doh.li
;; opcode: QUERY, status: NOERROR, id: 52470
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;i.argh.in. IN A
;; ANSWER SECTION:
i.argh.in. 8245 IN A 188.166.143.227
As far as I’m aware there are no commonly used clients that support ODoH at the moment, but I will update the instructions on doh.li should that change.