README.md

@@ -139,6 +139,8 @@ From Machine B: `curl http://api.numa` → proxied to Machine A's port 8000. Ena
 - [x] DNS-over-TLS listener — encrypted client connections (RFC 7858, ALPN strict)
 - [x] Recursive resolution + DNSSEC — chain-of-trust, NSEC/NSEC3
 - [x] SRTT-based nameserver selection
+- [x] Multi-forwarder failover — multiple upstreams with SRTT ranking, fallback pool
+- [x] Cache warming — proactive resolution for configured domains
 - [x] Mobile onboarding — `setup-phone` QR flow, mobile API, mobileconfig profiles
 - [ ] pkarr integration — self-sovereign DNS via Mainline DHT
 - [ ] Global `.numa` names — DHT-backed, no registrar

numa.toml

@@ -12,10 +12,11 @@ api_port = 5380
 # [upstream]
 # mode = "forward"                              # "forward" (default) — relay to upstream
 #                                               # "recursive" — resolve from root hints (no address needed)
+# address = "9.9.9.9"                           # single upstream (plain UDP)
+# address = ["192.168.1.1", "9.9.9.9:5353"]    # multiple upstreams — SRTT picks fastest
 # address = "https://dns.quad9.net/dns-query"   # DNS-over-HTTPS (encrypted)
-# address = "https://cloudflare-dns.com/dns-query"  # Cloudflare DoH
-# address = "9.9.9.9"                           # plain UDP
-# port = 53                                     # only for forward mode, plain UDP
+# fallback = ["8.8.8.8", "1.1.1.1"]            # tried only when all primaries fail
+# port = 53                                     # default port for addresses without :port
 # timeout_ms = 3000
 # root_hints = [                                # only used in recursive mode
 #     "198.41.0.4",      # a.root-servers.net (Verisign)
@@ -54,6 +55,7 @@ api_port = 5380
 max_entries = 10000
 min_ttl = 60
 max_ttl = 86400
+# warm = ["google.com", "github.com"]  # resolve at startup, refresh before TTL expiry
 
 [proxy]
 enabled = true