This issue is a proposal for a new flag which would control the behavior of hnsd for queries that were not resolvable by handshake.

The current behavior of hnsd is to attempt to resolve a domain using handshake, and then use a recursive resolver as a fallback to handle ICANN domains.

Motivations:

• The recursive resolver fails if local DNS traffic (all outbound udp port 53) is redirected to a specific DNS server. This could be the case on public wifi.
• The user may want to use a specific DNS server for ICANN domains
• The network may not have internet access (using handshake in an intranet or off-grid setting) and may need to configure a local upstream DNS for local queries

Alternate solutions:

• Can this forward legacy TLD requests to a particular DNS server? #46 suggests using unbound config, which unfortunately seems to take ultimate precedence and redirect everything. Using that method would require maintaining a list of TLDs
• The behavior of the unbound config could be changed to only apply to queries destined for ICANN, at the cost of any current use case that relies on the unbound config

Proposal:
Adding an --upstream flag to change the destination of queries that failed to be resolved by handshake.

• --upstream recursive the current would be default
• --upstream x.x.x.x would use the specified DNS server instead of the built in recursive resolver
• --upstream 2001::0 should accept ipv6 as well

This would avoid interfering with any existing unbound config use case and also not require maintaining a dump of ICANN TLDs while making it easier to handle different network environments.