feat: DoH server endpoint + DoT enabled by default (#79)

* chore: document multi-forwarder and cache warming in config and README Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: DNS-over-HTTPS server endpoint (RFC 8484) Serve DoH at POST /dns-query on the existing HTTPS proxy (port 443). Automatically enabled when proxy TLS is active — no config needed. Also fix zone map priority so local zones override RFC 6762 .local special-use handling. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * style: cargo fmt Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: remove GoatCounter analytics from site GoatCounter domains (goatcounter.com, gc.zgo.at) are blocked by Hagezi Pro, which is Numa's default blocklist. A DNS privacy tool should not embed analytics that its own resolver blocks. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * feat: enable DoT listener by default DoT now starts automatically with `sudo numa`, matching the proxy and DoH which are already on by default. The self-signed CA infrastructure is shared with the proxy, so there is no additional setup. This makes `numa setup-phone` work out of the box. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-11 04:06:17 +03:00
parent 7770129589
commit 7d6b0ed568
13 changed files with 298 additions and 21 deletions
--- a/tests/integration.sh
+++ b/tests/integration.sh
@@ -622,6 +622,54 @@ CONF
            "10.0.0.1" \
            "$($KDIG +short dot-test.example A 2>/dev/null)"

+        echo ""
+        echo "=== DNS-over-HTTPS (RFC 8484) ==="
+
+        DOH_QUERY_FILE=/tmp/numa-doh-query.bin
+        DOH_RESP_FILE=/tmp/numa-doh-resp.bin
+
+        # Build DNS wire-format query for dot-test.example A
+        printf '\x00\x01\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00\x08dot-test\x07example\x00\x00\x01\x00\x01' > "$DOH_QUERY_FILE"
+
+        # POST valid DoH query
+        DOH_CODE=$(curl -sk -X POST \
+            --resolve "numa.numa:$PROXY_HTTPS_PORT:127.0.0.1" \
+            -H "Content-Type: application/dns-message" \
+            --data-binary @"$DOH_QUERY_FILE" \
+            --cacert "$CA" \
+            -o "$DOH_RESP_FILE" \
+            -w "%{http_code}" \
+            "https://numa.numa:$PROXY_HTTPS_PORT/dns-query")
+        check "DoH POST returns HTTP 200" "200" "$DOH_CODE"
+
+        # Check response contains IP 10.0.0.1 (hex: 0a000001)
+        DOH_HEX=$(xxd -p "$DOH_RESP_FILE" | tr -d '\n')
+        if echo "$DOH_HEX" | grep -q "0a000001"; then
+            check "DoH response resolves dot-test.example → 10.0.0.1" "found" "found"
+        else
+            check "DoH response resolves dot-test.example → 10.0.0.1" "0a000001" "$DOH_HEX"
+        fi
+
+        # Wrong Content-Type → 415
+        DOH_CT_CODE=$(curl -sk -X POST \
+            -H "Host: numa.numa" \
+            -H "Content-Type: text/plain" \
+            --data-binary @"$DOH_QUERY_FILE" \
+            -o /dev/null -w "%{http_code}" \
+            "https://127.0.0.1:$PROXY_HTTPS_PORT/dns-query")
+        check "DoH wrong Content-Type → 415" "415" "$DOH_CT_CODE"
+
+        # Wrong host → 404 (DoH only serves numa.numa)
+        DOH_HOST_CODE=$(curl -sk -X POST \
+            -H "Host: foo.numa" \
+            -H "Content-Type: application/dns-message" \
+            --data-binary @"$DOH_QUERY_FILE" \
+            -o /dev/null -w "%{http_code}" \
+            "https://127.0.0.1:$PROXY_HTTPS_PORT/dns-query")
+        check "DoH wrong host → 404" "404" "$DOH_HOST_CODE"
+
+        rm -f "$DOH_QUERY_FILE" "$DOH_RESP_FILE"
+
        echo ""
        echo "=== Proxy TLS works with DoT enabled ==="