We built a new secure DNS service at dns.invisv.com or 35.244.200.159 -- give it a try and let us know what you think. "Clientless" in this context means it works on normal devices/browsers/OSes (without requiring special client software): it supports normal clients with DNS-over-HTTPS (DoH) -- at <a href="https://dns.invisv.com/dns-query" rel="nofollow">https://dns.invisv.com/dns-query</a> -- and DNS-over-TLS (DoT), but adds the multi-hop privacy of Oblivious DNS.<p>It’s an alpha service running only on the free tier at fly.io (with servers in three regions/locations in the US: Los Angeles, Dallas, Washington DC) through GCP and Fastly (using our Multi-Party Relay stack). Despite that, it seems to be as fast as other popular DNS services for users in many areas of the US, and, more importantly, we apply the decoupling principle to improve user privacy.<p>The background here is that normal DNS queries are revealed to the DNS servers we use for everything we do online, and so we all rely upon the promises made by the providers of those DNS services to not log or use that data that they have about all our Internet usage. In prior research, we developed Oblivious DNS (ODNS), which tunneled encrypted DNS queries over DNS, thereby hiding the client's IP/identity from a second-hop DNS resolver that actually sees the unencrypted queries. (The ODNS approach was rolled out over HTTPS for Safari browsing by Apple in iCloud Private Relay.) This approach requires a custom DNS client.<p>Instead, by tunneling DoH or DoT requests via our Multi-Party Relay (which uses the MASQUE protocol to tunnel requests through a third-party, in this case Fastly), we can enable ordinary DNS client stacks that only support plain DoH or DoT to get the benefits of ODNS.<p>Eventually we'd like to launch this service at scale, in partnership with another organization, to provide a fast, global, privacy-preserving DNS service that everyone can benefit from.