Cloudflare recently published a blog post on how Oblivious DNS over HTTPS (ODoH) works. According to the blog post, the purpose of ODoH is to separate the DNS queries from the originating IP addresses, preventing the DoH provider from seeing who’s sending the DNS requests. Thus improved privacy for clients.
Schematically, this is how it works:
In the diagram above, you can safely assume that the “target” is the DNS resolver (such as 220.127.116.11). By introducing the proxy between the client and the target resolver, ODoH provides the following guarantees:
However, it looks to me an overly round about way to achieve the three goals above. A plain old HTTP proxy seemed adequate enough to deliver the above three benefits.
The steps with a plain HTTP proxy are:
Now check the three guarantees provided by ODoH above against the plain HTTP proxy setup. Do you see a violation of any of them?