[FR] Add Forward HTTPS feature

[jeanseb6wind]

Current behavior

Currently, in a forward configuration, you can set a forward tls with forward-tls-upstream: yes.

Describe the desired feature

I would like the same feature for HTTPS, with a feature like forward-https-upstream: yes.

Potential use-case

It would allow to pass through rule firewall in some environment.

Thanks

[gthess]

If bypassing the firewall is your only concern you can specify the port to forward to as forward-addr: <ip>@443. Then on the receiving side you can have your target resolver listen on port 443 as well.
This will do DNS-over-TLS (I am assuming forward-tls-upstream: yes) and both ends need to support it.

If the feature request is for upstream DNS-over-HTTPS, that is a whole new feature indeed.

[jeanseb6wind]

Indeed setting the port could be a solution but will not work in practice because advanced firewall check the protocol and allows only HTTPS.

[gthess]

DNS-over-TLS is still encrypted traffic. Have you tried and it doesn't work on your environment?

[jeanseb6wind]

HTTPS adds encapsulation that is detected by the firewall, that's why I specifically need DoH forwarding

[pemensik]

Does that mean that is used on device with some kind of security software, which uses trusted certificate on the host and the firewall re-encrypts the original encrypted session, so it can see also the insides of encrypted channel? What would be advantage of using DoH in such environment?

[Mikaela]

I think this is a duplicate of #308

[gthess]

Closing this as duplicate of #308.