Skip to content

feat: DNS-over-HTTPS/TLS for upstream resolution #218

Description

@pigri

Summary

Add support for DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) when resolving upstream backend addresses, preventing DNS poisoning and snooping attacks on upstream resolution.

Motivation

  • Standard DNS (UDP/53) is unencrypted and vulnerable to spoofing, cache poisoning, and on-path interception
  • In proxy mode, a poisoned DNS response could redirect traffic to a malicious upstream, bypassing all other security measures
  • Zero-trust architectures require encrypted DNS as a baseline
  • Enterprises often mandate encrypted DNS for compliance (SOC2, ISO 27001)
  • Complements Synapse's existing security posture — protecting the proxy→upstream path as thoroughly as the client→proxy path

Proposed Features

DNS-over-HTTPS (DoH)

  • RFC 8484 compliant
  • Support major public resolvers (Cloudflare, Google, Quad9) and private resolvers
  • HTTP/2 multiplexing for query performance
  • JSON and wire-format support

DNS-over-TLS (DoT)

  • RFC 7858 compliant
  • Persistent TLS connections to resolver with connection pooling
  • Certificate validation with configurable CA

Common Features

  • DNS response caching with TTL-aware expiration to minimize resolver round trips
  • Fallback chain: DoH → DoT → standard DNS (configurable)
  • DNSSEC validation (optional) for response integrity
  • Resolver health checking with automatic failover
  • Negative caching for NXDOMAIN responses

Configuration

proxy:
  dns:
    mode: "doh"  # standard, doh, dot
    resolvers:
      - url: "https://1.1.1.1/dns-query"    # DoH
        priority: 1
      - url: "tls://1.1.1.1:853"            # DoT
        priority: 2
      - url: "udp://1.1.1.1:53"             # Fallback
        priority: 3
    cache:
      enabled: true
      max_entries: 10000
      min_ttl: 60        # seconds, floor for short TTLs
      max_ttl: 3600      # seconds, cap for long TTLs
    dnssec: false
    timeout: 5           # seconds per query
    bootstrap:
      # IP addresses used to resolve DoH hostnames (avoids circular dependency)
      - "1.1.1.1"
      - "8.8.8.8"

Environment Variables

  • AX_DNS_MODE — Resolution mode (standard, doh, dot)
  • AX_DNS_DOH_URL — DoH resolver URL
  • AX_DNS_DOT_HOST — DoT resolver host
  • AX_DNS_CACHE_ENABLED — Enable/disable DNS cache

Implementation Notes

  • Use hickory-dns (formerly trust-dns) crate which has native DoH/DoT/DNSSEC support
  • Implement as a custom resolver that plugs into upstream discovery (src/utils/discovery.rs) and src/proxy/gethosts.rs
  • Bootstrap resolver IPs must be hardcoded/configured to avoid circular dependency (resolving the DoH hostname itself)
  • DNS cache should use DashMap (already a dependency) for lock-free concurrent access
  • Cache should be inspectable via the internal health/status API
  • Consider making DoH/DoT feature-gated to keep the default binary lean
  • Hot-reloadable via SIGHUP (resolver list changes without restart)

Labels

enhancement, security, networking

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requestrustPull requests that update rust code

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions