all: refactoring DoT and DoH to use listen address instead portHEADmaindev

Using port makes the IP address of DoT and DoH listen on the same
address with UDP.
If we set ListenAddress to 0.0.0.0 and TLS termination is handled
by proxy, this cause DoT and DoH will also listen on all
addresses.

This behaviour makes the server open DoT and DoH ports to the public,
where it should be on local address only.

7 files changed, 43 insertions, 43 deletions

diff --git a/_sys/etc/rescached/rescached.cfg b/_sys/etc/rescached/rescached.cfg
index 7a3cd18..ddbd02f 100644
--- a/_sys/etc/rescached/rescached.cfg
+++ b/_sys/etc/rescached/rescached.cfg
@@ -35,13 +35,13 @@ listen = 127.0.0.1:53
 ## Uncomment line below if you want to serve DNS to other computers.
 #listen = 0.0.0.0:53
 
-#http.port = 443
-#tls.port = 853
-
 #tls.certificate = /etc/rescached/localhost.pem
 #tls.private_key = /etc/rescached/localhost.pem.key
 tls.allow_insecure = true
+
+#doh.listen = 127.0.0.1:443
 #doh.behind_proxy = false
+#dot.listen = 853
 
 #cache.prune_delay = 1h0m0s
 #cache.prune_threshold = -1h0m0s
diff --git a/_test/etc/rescached/rescached.cfg b/_test/etc/rescached/rescached.cfg
index fd11806..e5e985a 100644
--- a/_test/etc/rescached/rescached.cfg
+++ b/_test/etc/rescached/rescached.cfg
@@ -36,8 +36,8 @@ listen = 127.0.0.1:5350
 ## Uncomment line below if you want to serve DNS to other computers.
 #listen = 0.0.0.0:53
 
-#http.port = 443
-#tls.port = 853
+#doh.listen = 127.0.0.1:443
+#dot.listen = 127.0.0.1:853
 #tls.certificate = /etc/rescached/localhost.pem
 #tls.private_key = /etc/rescached/localhost.pem.key
 tls.allow_insecure = true
diff --git a/_www/doc/rescached.cfg.adoc b/_www/doc/rescached.cfg.adoc
index ef32b18..33d4567 100644
--- a/_www/doc/rescached.cfg.adoc
+++ b/_www/doc/rescached.cfg.adoc
@@ -156,19 +156,19 @@ query from client.
 If you want rescached to serve a query from another host in your local
 network, change this value to `0.0.0.0:53`.
 
-[#http-port]
-==== http.port
+[#doh.listen]
+==== doh.listen
 
-Format:: Number
-Default:: 443
-Description:: Port to serve DNS over HTTP.
+Format:: String
+Default:: (empty)
+Description:: Address to serve DNS over HTTP.
 
-[#tls-port]
-==== tls.port
+[#dot.listen]
+==== dot.listen
 
-Format:: Number
-Default:: 853
-Description:: Port to serve DNS over TLS.
+Format:: String
+Default:: (empty)
+Description:: Address to serve DNS over TLS.
 
 [#tls-certificate]
 ==== tls.certificate
diff --git a/environment.go b/environment.go
index af2e364..5da037b 100644
--- a/environment.go
+++ b/environment.go
@@ -38,13 +38,13 @@ const (
 	keyCachePruneDelay     = "cache.prune_delay"
 	keyCachePruneThreshold = "cache.prune_threshold"
 	keyDohBehindProxy      = "doh.behind_proxy"
-	keyHTTPPort            = "http.port"
+	keyDoHListen           = "doh.listen"
+	keyDoTListen           = "dot.listen"
 	keyListen              = "listen"
 	keyParent              = "parent"
 	keyWUIListen           = "wui.listen"
 	keyTLSAllowInsecure    = "tls.allow_insecure"
 	keyTLSCertificate      = "tls.certificate"
-	keyTLSPort             = "tls.port"
 	keyTLSPrivateKey       = "tls.private_key"
 
 	dirBlock  = "/etc/rescached/block.d"
@@ -255,9 +255,9 @@ func (env *Environment) save(file string) (in *ini.Ini, err error) {
 
 	in.Set(sectionNameDNS, subNameServer, keyListen, env.ListenAddress)
 
-	in.Set(sectionNameDNS, subNameServer, keyHTTPPort, strconv.Itoa(int(env.HTTPPort)))
+	in.Set(sectionNameDNS, subNameServer, keyDoHListen, env.DoHListen)
 
-	in.Set(sectionNameDNS, subNameServer, keyTLSPort, strconv.Itoa(int(env.TLSPort)))
+	in.Set(sectionNameDNS, subNameServer, keyDoTListen, env.DoTListen)
 	in.Set(sectionNameDNS, subNameServer, keyTLSCertificate, env.TLSCertFile)
 	in.Set(sectionNameDNS, subNameServer, keyTLSPrivateKey, env.TLSPrivateKey)
 	in.Set(sectionNameDNS, subNameServer, keyTLSAllowInsecure, strconv.FormatBool(env.TLSAllowInsecure))
diff --git a/go.mod b/go.mod
index 85ef1b7..6766656 100644
--- a/go.mod
+++ b/go.mod
@@ -3,11 +3,11 @@
 
 module git.sr.ht/~shulhan/rescached
 
-go 1.25.0
+go 1.26.0
 
 require (
 	git.sr.ht/~shulhan/ciigo v0.16.0
-	git.sr.ht/~shulhan/pakakeh.go v0.61.0
+	git.sr.ht/~shulhan/pakakeh.go v0.61.1-0.20260325223430-5a765dc7f90c
 )
 
 require (
@@ -15,12 +15,12 @@ require (
 	github.com/kr/text v0.2.0 // indirect
 	github.com/yuin/goldmark v1.7.16 // indirect
 	github.com/yuin/goldmark-meta v1.1.0 // indirect
-	golang.org/x/exp v0.0.0-20260112195511-716be5621a96 // indirect
-	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.41.0 // indirect
-	golang.org/x/tools v0.41.0 // indirect
+	golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa // indirect
+	golang.org/x/mod v0.33.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.42.0 // indirect
+	golang.org/x/tools v0.42.0 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
 
diff --git a/go.sum b/go.sum
index 1a58814..5c8bf0d 100644
--- a/go.sum
+++ b/go.sum
@@ -2,8 +2,8 @@ git.sr.ht/~shulhan/asciidoctor-go v0.7.3 h1:QjMMG3AgtnWkAIV2OqPfAksCdgonmY6cQXwy
 git.sr.ht/~shulhan/asciidoctor-go v0.7.3/go.mod h1:fdqQrwicDfRycH6ovYIQ5NzwbFIryNSsrFn5Gw0IsOk=
 git.sr.ht/~shulhan/ciigo v0.16.0 h1:TOwCaD9mm3hRxbVDsmJ46xRyUxLoH257ACI4M+RLcQo=
 git.sr.ht/~shulhan/ciigo v0.16.0/go.mod h1:rgj8D5KwmfFw4kGWXnGTdUQatSWy/RUCriNGWz4mQRw=
-git.sr.ht/~shulhan/pakakeh.go v0.61.0 h1:a/8kcBX0/sCywDbHNrjTmZ4xdJZUZYoedpH1EVuUkPs=
-git.sr.ht/~shulhan/pakakeh.go v0.61.0/go.mod h1:mGR0PxGu4X7Vr2U2/3k4phuPjiFC2seTwJnitk8B4LU=
+git.sr.ht/~shulhan/pakakeh.go v0.61.1-0.20260325223430-5a765dc7f90c h1:c/8ZN6IHTLkWsIB3LyG4U72oM+koI6PVEAt4bFymcWg=
+git.sr.ht/~shulhan/pakakeh.go v0.61.1-0.20260325223430-5a765dc7f90c/go.mod h1:kzKQV2Tm4piiKg5bZ3bj3ipnBExRlhgQrJ5BNXYZ6pQ=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
@@ -17,18 +17,18 @@ github.com/yuin/goldmark v1.7.16 h1:n+CJdUxaFMiDUNnWC3dMWCIQJSkxH4uz3ZwQBkAlVNE=
 github.com/yuin/goldmark v1.7.16/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
 github.com/yuin/goldmark-meta v1.1.0 h1:pWw+JLHGZe8Rk0EGsMVssiNb/AaPMHfSRszZeUeiOUc=
 github.com/yuin/goldmark-meta v1.1.0/go.mod h1:U4spWENafuA7Zyg+Lj5RqK/MF+ovMYtBvXi1lBb2VP0=
-golang.org/x/exp v0.0.0-20260112195511-716be5621a96 h1:Z/6YuSHTLOHfNFdb8zVZomZr7cqNgTJvA8+Qz75D8gU=
-golang.org/x/exp v0.0.0-20260112195511-716be5621a96/go.mod h1:nzimsREAkjBCIEFtHiYkrJyT+2uy9YZJB7H1k68CXZU=
-golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
-golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
+golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa h1:Zt3DZoOFFYkKhDT3v7Lm9FDMEV06GpzjG2jrqW+QTE0=
+golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa/go.mod h1:K79w1Vqn7PoiZn+TkNpx3BUWUQksGO3JcVX6qIjytmA=
+golang.org/x/mod v0.33.0 h1:tHFzIWbBifEmbwtGz65eaWyGiGZatSrT9prnU8DbVL8=
+golang.org/x/mod v0.33.0/go.mod h1:swjeQEj+6r7fODbD2cqrnje9PnziFuw4bmLbBZFrQ5w=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
+golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
diff --git a/testdata/rescached.cfg.test.out b/testdata/rescached.cfg.test.out
index a901f0b..fb6ed61 100644
--- a/testdata/rescached.cfg.test.out
+++ b/testdata/rescached.cfg.test.out
@@ -22,6 +22,8 @@ url = http://someurl
 
 [dns "server"]
 listen = 127.0.0.1:5350
+doh.listen =
+dot.listen =
 tls.certificate =
 tls.private_key =
 parent = udp://10.8.0.1
@@ -29,7 +31,5 @@ http.idle_timeout = 0s
 cache.prune_delay = 0s
 cache.prune_threshold = 0s
 debug = 0
-http.port = 0
-tls.port = 0
 tls.allow_insecure = true
 doh.behind_proxy = false