Summary
Add support for DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) when resolving upstream backend addresses, preventing DNS poisoning and snooping attacks on upstream resolution.
Motivation
- Standard DNS (UDP/53) is unencrypted and vulnerable to spoofing, cache poisoning, and on-path interception
- In proxy mode, a poisoned DNS response could redirect traffic to a malicious upstream, bypassing all other security measures
- Zero-trust architectures require encrypted DNS as a baseline
- Enterprises often mandate encrypted DNS for compliance (SOC2, ISO 27001)
- Complements Synapse's existing security posture — protecting the proxy→upstream path as thoroughly as the client→proxy path
Proposed Features
DNS-over-HTTPS (DoH)
- RFC 8484 compliant
- Support major public resolvers (Cloudflare, Google, Quad9) and private resolvers
- HTTP/2 multiplexing for query performance
- JSON and wire-format support
DNS-over-TLS (DoT)
- RFC 7858 compliant
- Persistent TLS connections to resolver with connection pooling
- Certificate validation with configurable CA
Common Features
- DNS response caching with TTL-aware expiration to minimize resolver round trips
- Fallback chain: DoH → DoT → standard DNS (configurable)
- DNSSEC validation (optional) for response integrity
- Resolver health checking with automatic failover
- Negative caching for NXDOMAIN responses
Configuration
proxy:
dns:
mode: "doh" # standard, doh, dot
resolvers:
- url: "https://1.1.1.1/dns-query" # DoH
priority: 1
- url: "tls://1.1.1.1:853" # DoT
priority: 2
- url: "udp://1.1.1.1:53" # Fallback
priority: 3
cache:
enabled: true
max_entries: 10000
min_ttl: 60 # seconds, floor for short TTLs
max_ttl: 3600 # seconds, cap for long TTLs
dnssec: false
timeout: 5 # seconds per query
bootstrap:
# IP addresses used to resolve DoH hostnames (avoids circular dependency)
- "1.1.1.1"
- "8.8.8.8"
Environment Variables
AX_DNS_MODE — Resolution mode (standard, doh, dot)
AX_DNS_DOH_URL — DoH resolver URL
AX_DNS_DOT_HOST — DoT resolver host
AX_DNS_CACHE_ENABLED — Enable/disable DNS cache
Implementation Notes
- Use
hickory-dns (formerly trust-dns) crate which has native DoH/DoT/DNSSEC support
- Implement as a custom resolver that plugs into upstream discovery (
src/utils/discovery.rs) and src/proxy/gethosts.rs
- Bootstrap resolver IPs must be hardcoded/configured to avoid circular dependency (resolving the DoH hostname itself)
- DNS cache should use
DashMap (already a dependency) for lock-free concurrent access
- Cache should be inspectable via the internal health/status API
- Consider making DoH/DoT feature-gated to keep the default binary lean
- Hot-reloadable via SIGHUP (resolver list changes without restart)
Labels
enhancement, security, networking
Summary
Add support for DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) when resolving upstream backend addresses, preventing DNS poisoning and snooping attacks on upstream resolution.
Motivation
Proposed Features
DNS-over-HTTPS (DoH)
DNS-over-TLS (DoT)
Common Features
Configuration
Environment Variables
AX_DNS_MODE— Resolution mode (standard,doh,dot)AX_DNS_DOH_URL— DoH resolver URLAX_DNS_DOT_HOST— DoT resolver hostAX_DNS_CACHE_ENABLED— Enable/disable DNS cacheImplementation Notes
hickory-dns(formerlytrust-dns) crate which has native DoH/DoT/DNSSEC supportsrc/utils/discovery.rs) andsrc/proxy/gethosts.rsDashMap(already a dependency) for lock-free concurrent accessLabels
enhancement,security,networking