doh-proxy 0.9.12

A DNS-over-HTTPS (DoH) and ODoH (Oblivious DoH) proxy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

# CLAUDE.md

This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

## Project Overview

rust-doh is a production-grade DNS-over-HTTPS (DoH) and Oblivious DoH (ODoH) server written in Rust. It acts as a proxy that adds DoH/ODoH capabilities to any DNS resolver.

## Commands

### Build
```bash
# Standard build
cargo build

# Release build with optimizations
cargo build --release

# Build without TLS support
cargo build --release --no-default-features
```

### Run
```bash
# Basic run (requires DNS resolver at 9.9.9.9:53)
cargo run -- -H 'doh.example.com' -u 127.0.0.1:53 -g <public-ip>

# Run with TLS certificates
cargo run -- -H 'doh.example.com' -u 127.0.0.1:53 -g <public-ip> -i /path/to/fullchain.cer -I /path/to/domain.key

# Run tests (basic integration test)
./test.sh
```

### Check
```bash
# Check compilation
cargo check

# Check with all features
cargo check --all-features
```

## Architecture

The codebase is split into two main components:

1. **Main Application** (`/src/`): CLI interface and configuration handling
   - `main.rs`: Tokio runtime initialization and server startup
   - `config.rs`: Command-line argument parsing with clap
   - `constants.rs`: Default values (ports, timeouts, TTLs)

2. **Core Library** (`/src/libdoh/`): DoH/ODoH protocol implementation
   - `lib.rs`: HTTP request routing and server logic
   - `dns.rs`: DNS packet parsing, TTL management, EDNS0 support
   - `odoh.rs`: Oblivious DoH implementation with key rotation
   - `tls.rs`: Optional TLS termination support
   - `globals.rs`: Shared configuration state

Key architectural decisions:
- Uses Tokio for async/concurrent connection handling
- Supports both UDP and TCP fallback for upstream DNS
- Implements response caching headers and TTL bounds
- Rate limiting through max clients and concurrent connections
- Can run standalone with TLS or behind a reverse proxy

## Development Notes

- The `tls` feature is enabled by default. Disable with `--no-default-features` if running behind a proxy
- HTTP endpoints: `/dns-query` (DoH) and `/.well-known/odohconfigs` (ODoH)
- Accepts both GET (base64url-encoded) and POST methods
- Production optimizations: LTO enabled, single codegen unit in release builds
- Memory allocator: Uses mimalloc for performance