[FR] The ability to set `forward-tls-upstream` for some forward addresses in the same forward zone

Question

[FR] The ability to set `forward-tls-upstream` for some forward addresses in the same forward zone

AppleSheeple opened this issue 7 months ago · 0 comments

Current behavior

In a forward zone, the option forward-tls-upstream affects all forward-addrs. This is quite limiting, especially for the . zone.

Describe the desired feature

The ability to use DoT for some but not all forward addresses in the same forward zone.

One possible solution is to support an auto value for forward-tls-upstream, and infer whether to enable DoT based on each forward address. Addresses with @853 and/or #<dom> parts will use DoT, and others won't.

Potential use-case

Some secure/encrypted networks (e.g. using WireGuard) may provide an internal DNS address with fast query times. TLS is not enabled in this case since its not needed from a security PoV, and to avoid any performance overhead. But users may still want to use DoT for fallback addresses.