My, admittedly cynical, view of it is that the main selling point is that you share your data with the person running the ODoH server.
The truth is that very very few people run their own recursive nameserver. The entirely reasonable assumption for any authoritative nameserver, like .com, is that the query is being asked on behalf of someone else and knowing that a user of your nameserver asked for the ip of sexysheep.com doesn't give them a lot of useful info.
I'm think many ISPs actually sell a lot of data from their recursive nameservers, but I'm willing to bet that almost no-one bothers to sniff port 53 udp traffic going elsewhere.
My vote for the best privacy option is always going to be just run pi-hole with your own recursive nameservers.
Why not? Cloudflare makes 1.1.1.1 available over tor although the latency is through the roof and you still need to consider the possibility of fingerprinting the client network stack.
The relay is a systemd unit on a VPS, Caddy for TLS, SSRF-hardened (regex-strict hostnames, no IP literals). eTLD+1 same-operator check rejects relay+target run by the same org by default. HPKE is odoh-rs from Cloudflare
The truth is that very very few people run their own recursive nameserver. The entirely reasonable assumption for any authoritative nameserver, like .com, is that the query is being asked on behalf of someone else and knowing that a user of your nameserver asked for the ip of sexysheep.com doesn't give them a lot of useful info.
I'm think many ISPs actually sell a lot of data from their recursive nameservers, but I'm willing to bet that almost no-one bothers to sniff port 53 udp traffic going elsewhere.
My vote for the best privacy option is always going to be just run pi-hole with your own recursive nameservers.
``` cargo install numa
# set mode = "odoh" in numa.toml ```
Repo: https://github.com/razvandimescu/numa