Hacker News new | ask | show | jobs
by elp 34 days ago
My, admittedly cynical, view of it is that the main selling point is that you share your data with the person running the ODoH server.

The truth is that very very few people run their own recursive nameserver. The entirely reasonable assumption for any authoritative nameserver, like .com, is that the query is being asked on behalf of someone else and knowing that a user of your nameserver asked for the ip of sexysheep.com doesn't give them a lot of useful info.

I'm think many ISPs actually sell a lot of data from their recursive nameservers, but I'm willing to bet that almost no-one bothers to sniff port 53 udp traffic going elsewhere.

My vote for the best privacy option is always going to be just run pi-hole with your own recursive nameservers.
3 comments
rdme 34 days ago
The relay sees IP + ciphertext, the target sees question + relay's IP. No single party gets both
link
petcat 34 days ago
What if the relay and target are being operated by the same provider? The relay controls where the question is sent right? They can collude?
link
rdme 34 days ago
no, you are actually telling the relay where to redirect your question from the start (because you are encrypting the question with the public key of the destination resolver) - the relay sending the question where it wants would result in the destination to not be able to decrypt it
link
jiveturkey 34 days ago
If relay and target are operated by the same provider, there is no collusion. Collusion occurs between 2+ parties. You have stipulated that they are the same party.
link
1vuio0pswjnm7 33 days ago
"They can collude?"

There are no limitations on what these parties can do with the data they collect or where they can transfer it

link
petcat 34 days ago
> your own recursive nameserver

But then the internet can know that you are the one using your own resolvers and so they can trivially identify your traffic.

Really you need to use some public resolver with a critical mass of other users in order to have any hope for anonymity. But then of course you have to trust that resolver too.

link
aftbit 34 days ago
I'm disappointed that sexysheep.com is just a domain parking page. I'm not sure what I was hoping for, but I think that's the worst possible outcome.
link