[GH-ISSUE #1438] Expose options for the non-standard query path and connection port while doing DoH (DNS over HTTPS) #668

New issue

Open

opened 2026-03-15 23:45:42 +03:00 by kerem · 2 comments

kerem commented

2026-03-15 23:45:42 +03:00

Owner

Originally created by @IceCodeNew on GitHub (Apr 6, 2021).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/1438

Is your feature request related to a problem? Please describe.

As China continuously blocking the well-known Secure DNS services, it is getting much harder for doing DoH queries by trust-dns as it can only perform standard DNS-over-HTTPS queries.

Describe the solution you'd like

This situation could get much better if we make DoH querying works with a custom query path, and even the support of a non-443 port.
Firstly, these features will enlarge the range of Secure DNS services that could work well with trust-dns. Secondly, though I couldn't find a strong province, it seems that the DoH query on a non-standard port is less likely to be censored.

Describe alternatives you've considered
Finding another Secure DNS service that is not blocked by China yet. But I am already about to run out of this kind of trick.

Originally created by @IceCodeNew on GitHub (Apr 6, 2021). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/1438 * **Is your feature request related to a problem? Please describe.** As China continuously blocking the well-known Secure DNS services, it is getting much harder for doing DoH queries by `trust-dns` as it can only perform standard DNS-over-HTTPS queries. * **Describe the solution you'd like** This situation could get much better if we make DoH querying works with a custom query path, and even the support of a non-443 port. Firstly, these features will enlarge the range of Secure DNS services that could work well with `trust-dns`. Secondly, though I couldn't find a strong province, it seems that the DoH query on a non-standard port is less likely to be censored. * **Describe alternatives you've considered** Finding another Secure DNS service that is not blocked by China yet. But I am already about to run out of this kind of trick.

kerem added the

trust

question

feature:dns-over-https

labels

2026-03-15 23:45:42 +03:00

kerem commented

2026-03-15 23:45:53 +03:00

Author

Owner

@bluejekyll commented on GitHub (Apr 6, 2021):

I don't have a great solution for you here. But, it's relatively easy to bind to any port you want with the existing library. Not sure if that's enough for what you want or need. Also, query path should be encapsulated inside the TLS stream with DoH, so I don't think the query path should matter. Can you expand on that?

In terms of the trust_dns named config, there isn't an easy way in the existing toml config to do what you need/want, we should fix this, make the protocols and ports more explicit in the network configuration. But (mainly this was added for testing) the --https-port option allows for overriding the default listening port, from named help:

USAGE:
    named [FLAGS] [OPTIONS]

FLAGS:
    -d, --debug      Turn on DEBUG messages (default is only INFO)
    -h, --help       Prints help information
    -q, --quiet      Disable INFO messages, WARN and ERROR will remain
    -V, --version    Prints version information

OPTIONS:
    -c, --config <FILE>              Path to configuration file [default: /etc/named.toml]
        --https-port <https-port>    Listening port for DNS over HTTPS queries, overrides any value in config file
    -p, --port <port>                Listening port for DNS queries, overrides any value in config file
        --tls-port <tls-port>        Listening port for DNS over TLS queries, overrides any value in config file
    -z, --zonedir <DIR>              Path to the root directory for all zone files, see also config toml

As to the resolver, this is also possible when configuring the upstream name_servers: https://docs.rs/trust-dns-resolver/0.20.1/trust_dns_resolver/config/struct.NameServerConfigGroup.html#method.from_ips_clear, but you want the from_ips_encrypted (when dns-over-https is enabled, we're fixing the docs in the next release to include all features on docrs, but you can see that method locally when you use cargo docs).

Hope that helps?

@bluejekyll commented on GitHub (Apr 6, 2021): I don't have a great solution for you here. But, it's relatively easy to bind to any port you want with the existing library. Not sure if that's enough for what you want or need. Also, query path should be encapsulated inside the TLS stream with DoH, so I don't think the query path should matter. Can you expand on that? In terms of the trust_dns named config, there isn't an easy way in the existing toml config to do what you need/want, we should fix this, make the protocols and ports more explicit in the network configuration. But (mainly this was added for testing) the `--https-port` option allows for overriding the default listening port, from named help: ```shell USAGE: named [FLAGS] [OPTIONS] FLAGS: -d, --debug Turn on DEBUG messages (default is only INFO) -h, --help Prints help information -q, --quiet Disable INFO messages, WARN and ERROR will remain -V, --version Prints version information OPTIONS: -c, --config <FILE> Path to configuration file [default: /etc/named.toml] --https-port <https-port> Listening port for DNS over HTTPS queries, overrides any value in config file -p, --port <port> Listening port for DNS queries, overrides any value in config file --tls-port <tls-port> Listening port for DNS over TLS queries, overrides any value in config file -z, --zonedir <DIR> Path to the root directory for all zone files, see also config toml ``` As to the resolver, this is also possible when configuring the upstream name_servers: https://docs.rs/trust-dns-resolver/0.20.1/trust_dns_resolver/config/struct.NameServerConfigGroup.html#method.from_ips_clear, but you want the `from_ips_encrypted` (when dns-over-https is enabled, we're fixing the docs in the next release to include all features on docrs, but you can see that method locally when you use `cargo docs`). Hope that helps?

kerem commented

2026-03-15 23:45:58 +03:00

Author

Owner

@IceCodeNew commented on GitHub (Apr 6, 2021):

Also, query path should be encapsulated inside the TLS stream with DoH, so I don't think the query path should matter. Can you expand on that?

Well, I'm not saying that the query path has anything to do with censorship.
It is just the fact that some DoH servers, as their owner had decided to make them listening on a non-443 port. They usually would also have a custom query path for DoH connections.
So it is necessary to have both options for HTTPS listening port and query path, for me.

// FYI, I am trying to get trust-dns works with https://101.6.6.6:8443/resolve .

As to the resolver, this is also possible when configuring the upstream name_servers: https://docs.rs/trust-dns-resolver/0.20.1/trust_dns_resolver/config/struct.NameServerConfigGroup.html#method.from_ips_clear, but you want the from_ips_encrypted (when dns-over-https is enabled, we're fixing the docs in the next release to include all features on docrs, but you can see that method locally when you use cargo docs).

Thanks for your suggestion.

@IceCodeNew commented on GitHub (Apr 6, 2021): > Also, query path should be encapsulated inside the TLS stream with DoH, so I don't think the query path should matter. Can you expand on that? Well, I'm not saying that the query path has anything to do with censorship. It is just the fact that some DoH servers, as their owner had decided to make them listening on a non-443 port. They usually would also have a custom query path for DoH connections. So it is necessary to have both options for HTTPS listening port and query path, for me. // FYI, I am trying to get `trust-dns` works with https://101.6.6.6:8443/resolve . --- > As to the resolver, this is also possible when configuring the upstream name_servers: https://docs.rs/trust-dns-resolver/0.20.1/trust_dns_resolver/config/struct.NameServerConfigGroup.html#method.from_ips_clear, but you want the `from_ips_encrypted` (when dns-over-https is enabled, we're fixing the docs in the next release to include all features on docrs, but you can see that method locally when you use `cargo docs`). Thanks for your suggestion.

kerem referenced this issue

2026-03-16 02:14:37 +03:00

[PR #668] [MERGED] update rustls to 0.15 #1588