feat: DNS-over-HTTPS upstream forwarding

Encrypt upstream queries via DoH — ISPs see HTTPS traffic on port 443, not plaintext DNS on port 53. URL scheme determines transport: https:// = DoH, bare IP = plain UDP. Falls back to Quad9 DoH when system resolver cannot be detected. - Upstream enum (Udp/Doh) with Display and PartialEq - BytePacketBuffer::from_bytes constructor - reqwest http2 feature for DoH server compatibility - network_watch_loop guards against DoH→UDP silent downgrade - 5 new tests (mock DoH server, HTTP errors, timeout) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-24 00:35:33 +02:00
parent 9c313ef06a
commit 007b8593c5
8 changed files with 294 additions and 25 deletions
--- a/numa.toml
+++ b/numa.toml
@@ -4,9 +4,11 @@ api_port = 5380
 # api_bind_addr = "127.0.0.1"  # default; set to "0.0.0.0" for LAN dashboard access

 # [upstream]
-# address = ""       # auto-detect from system resolver (default)
-# address = "9.9.9.9"  # or set explicitly
-# port = 53
+# address = ""                                  # auto-detect from system resolver (default)
+# address = "https://dns.quad9.net/dns-query"   # DNS-over-HTTPS (encrypted)
+# address = "https://cloudflare-dns.com/dns-query"  # Cloudflare DoH
+# address = "9.9.9.9"                           # plain UDP
+# port = 53                                     # only used for plain UDP
 # timeout_ms = 3000

 # [blocking]