Your question
When configuring custom DNS resolvers there is the option to use the DNS over TLS protocol. However, when entering for example “dns.quad9.net” the input is not accepted. Using “9.9.9.9” would work but from my understanding the value has to be a domain name and not an IP address. How does DNS over TLS exactly work with Stalwart v0.16?
Beside of that it would be great to set a priority to each DNS resolver: First I would want Stalwart to use DNS over TLS resolvers and only in case they fail I want to use a fallback DNS over UDP.
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
on
This is a good, clear answer to work with. Here’s the full picture:
The Custom resolver type requires an IP address for the address field – domain names are not supported there. The DnsCustomResolver object’s address field is typed as IpAddr, so you must enter an IP like 9.9.9.9, not a hostname like dns.quad9.net. For Quad9 with TLS, use the dedicated Quad9 resolver type (@type: "Quad9") instead, which has a useTls: true option and handles the hostname/certificate resolution internally.
Regarding DNS over TLS with the Custom type: it is supported – you set "protocol": "tls" per entry – but the endpoint still must be specified as an IP address. For Quad9 DoT that would be 9.9.9.9 (port 853).
Regarding fallback/priority: the Custom resolver’s servers list is a flat list with no priority or fallback ordering documented. There is no built-in mechanism to configure “try DoT first, fall back to UDP” across different resolver types – the DnsResolver object is a single-variant selection (you pick one type). This capability does not appear to be available in the current configuration model.
As a practical workaround for Quad9 specifically: use @type: "Quad9" with useTls: true, which gives you Quad9 over TLS without needing the Custom type at all.
Docs reference: DNS Resolver and DnsResolver object reference
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
I tried exactly that with different DNS resolvers but every time I set an IP address with DNS over TLS the resolution doesn’t work anymore. Is this really the correct way to configure DNS over TLS?
Let me dig into the source code to see how the TLS protocol is actually implemented for custom resolvers.
Here’s what the source code reveals about why DoT with an IP address in the Custom resolver may be failing:
When you set "protocol": "tls" on a custom server entry, the server name used for TLS certificate validation is set to the string representation of the IP address you provided (e.g. "9.9.9.9"). This is almost certainly the root cause of the failure – TLS certificate validation against an IP address string will fail because DoT servers like Quad9 present a certificate for dns.quad9.net, not for 9.9.9.9. The underlying resolver library (hickory-resolver) needs a proper hostname for SNI and certificate verification, but the Custom type’s address field only accepts IpAddr values, so there is no way to supply a hostname through that path.
The correct solution for Quad9 over TLS is to use @type: "Quad9" with "useTls": true – this code path calls ResolverConfig::tls(&QUAD9), which uses the pre-configured Quad9 endpoints with the correct hostname/certificate details baked in. The same applies to Cloudflare DoT: use @type: "Cloudflare" with "useTls": true.
For the fallback/priority question: the source confirms there is a single resolver variant active at a time – there is no layered fallback mechanism between resolver types available in the current implementation.
Docs reference: DNS Resolver | DnsResolver object reference
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
You need to enter an IP address, this is the resolver settings so only IP addresses are accepted.
Thanks for the reply. I did try to use IP addresses with DNS over TLS but then all DNS requests fail. For example I used 9.9.9.9 with port 853 but no DNS requests were successful.
This is ok, but then either the tls certificate SAN should not be validated or there should be an option to specify the expected dns name on the certificate.
@stalwart Can DNS over TLS be adjusted to work like @ruffy91 proposed?
This requires a database schema change so it is not a straightforward change. There is a Quad9 resolver you could use instead. You can add this request as a Feature Idea if using the Quad9 resolver directly does not solve it for you.