feat: DoH server endpoint + DoT enabled by default (#79)

* chore: document multi-forwarder and cache warming in config and README Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: DNS-over-HTTPS server endpoint (RFC 8484) Serve DoH at POST /dns-query on the existing HTTPS proxy (port 443). Automatically enabled when proxy TLS is active — no config needed. Also fix zone map priority so local zones override RFC 6762 .local special-use handling. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * style: cargo fmt Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: remove GoatCounter analytics from site GoatCounter domains (goatcounter.com, gc.zgo.at) are blocked by Hagezi Pro, which is Numa's default blocklist. A DNS privacy tool should not embed analytics that its own resolver blocks. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: enable DoT listener by default DoT now starts automatically with `sudo numa`, matching the proxy and DoH which are already on by default. The self-signed CA infrastructure is shared with the proxy, so there is no additional setup. This makes `numa setup-phone` work out of the box. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-11 04:06:17 +03:00
parent 7770129589
commit 7d6b0ed568
13 changed files with 298 additions and 21 deletions
--- a/src/proxy.rs
+++ b/src/proxy.rs
@@ -4,7 +4,7 @@ use std::sync::Arc;
 use axum::body::Body;
 use axum::extract::{Request, State};
 use axum::response::IntoResponse;
-use axum::routing::any;
+use axum::routing::{any, post};
 use axum::Router;
 use http_body_util::BodyExt;
 use hyper::StatusCode;
@@ -18,6 +18,14 @@ use crate::ctx::ServerCtx;

 type HttpClient = Client<hyper_util::client::legacy::connect::HttpConnector, Body>;

+/// State passed to the DoH handler. Includes the remote address so
+/// `resolve_query` can log the client IP.
+#[derive(Clone)]
+pub struct DohState {
+    pub ctx: Arc<ServerCtx>,
+    pub remote_addr: Option<std::net::SocketAddr>,
+}
+
 #[derive(Clone)]
 struct ProxyState {
    ctx: Arc<ServerCtx>,
@@ -74,9 +82,17 @@ pub async fn start_proxy_tls(ctx: Arc<ServerCtx>, port: u16, bind_addr: Ipv4Addr

    // Hold a separate Arc so we can access tls_config after ctx moves into ProxyState
    let tls_holder = Arc::clone(&ctx);
-    let state = ProxyState { ctx, client };
+    let proxy_state = ProxyState {
+        ctx: Arc::clone(&ctx),
+        client,
+    };

-    let app = Router::new().fallback(any(proxy_handler)).with_state(state);
+    // DoH route (RFC 8484) served only on the TLS listener.
+    // DohState.remote_addr is set per-connection below.
+    let doh_state = DohState {
+        ctx,
+        remote_addr: None,
+    };

    loop {
        let (tcp_stream, remote_addr) = match listener.accept().await {
@@ -91,7 +107,17 @@ pub async fn start_proxy_tls(ctx: Arc<ServerCtx>, port: u16, bind_addr: Ipv4Addr
        // unwrap safe: guarded by is_none() check above
        let acceptor =
            TlsAcceptor::from(Arc::clone(&*tls_holder.tls_config.as_ref().unwrap().load()));
-        let app = app.clone();
+
+        let mut conn_doh_state = doh_state.clone();
+        conn_doh_state.remote_addr = Some(remote_addr);
+
+        let app = Router::new()
+            .route(
+                "/dns-query",
+                post(crate::doh::doh_post).with_state(conn_doh_state),
+            )
+            .fallback(any(proxy_handler))
+            .with_state(proxy_state.clone());

        tokio::spawn(async move {
            let tls_stream = match acceptor.accept(tcp_stream).await {
@@ -232,7 +258,7 @@ pre .str {{ color: #d48a5a }}
    )
 }

-fn extract_host(req: &Request) -> Option<String> {
+pub fn extract_host(req: &Request) -> Option<String> {
    req.headers()
        .get(hyper::header::HOST)
        .and_then(|v| v.to_str().ok())