From 730c400ddbdc31991b3eff510ad5dad1db1f7ff4 Mon Sep 17 00:00:00 2001
From: Razvan Dimescu <ssaricu@gmail.com>
Date: Sat, 11 Apr 2026 04:01:18 +0300
Subject: [PATCH] feat: enable DoT listener by default

DoT now starts automatically with `sudo numa`, matching the proxy and
DoH which are already on by default. The self-signed CA infrastructure
is shared with the proxy, so there is no additional setup. This makes
`numa setup-phone` work out of the box.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 numa.toml     | 2 +-
 src/config.rs | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/numa.toml b/numa.toml
index 5ca95f8..92b5411 100644
--- a/numa.toml
+++ b/numa.toml
@@ -93,7 +93,7 @@ tld = "numa"
 
 # DNS-over-TLS listener (RFC 7858) — encrypted DNS on port 853
 # [dot]
-# enabled = false             # opt-in: accept DoT queries
+# enabled = true              # on by default; set false to disable
 # port = 853                  # standard DoT port
 # bind_addr = "0.0.0.0"       # IPv4 or IPv6; unspecified binds all interfaces
 # cert_path = "/etc/numa/dot.crt"  # PEM cert; omit to use self-signed (proxy CA if available)
diff --git a/src/config.rs b/src/config.rs
index 708ed4f..6480883 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -411,7 +411,7 @@ pub struct DnssecConfig {
 
 #[derive(Deserialize, Clone)]
 pub struct DotConfig {
-    #[serde(default)]
+    #[serde(default = "default_dot_enabled")]
     pub enabled: bool,
     #[serde(default = "default_dot_port")]
     pub port: u16,
@@ -428,7 +428,7 @@ pub struct DotConfig {
 impl Default for DotConfig {
     fn default() -> Self {
         DotConfig {
-            enabled: false,
+            enabled: default_dot_enabled(),
             port: default_dot_port(),
             bind_addr: default_dot_bind_addr(),
             cert_path: None,
@@ -437,6 +437,9 @@ impl Default for DotConfig {
     }
 }
 
+fn default_dot_enabled() -> bool {
+    true
+}
 fn default_dot_port() -> u16 {
     853
 }