# Shared zone-loading + recursive-forwarding config.
# CoreDNS snippets are textually expanded by `import`, so we keep anything
# that's not transport-specific (TLS) in here.
(common) {
    auto {
        directory /zones (.*)\.zone {1}
        reload 30s
    }
    forward . 1.1.1.1 1.0.0.1 9.9.9.9 {
        max_concurrent 1000
    }
    cache 30
    errors
    log
    loop
    reload 10s
}

# Plain DNS — UDP/TCP :53. Health + metrics live here only (one binding).
. {
    import common
    health :8080
    prometheus :9153
}

# DNS-over-TLS — RFC 7858. Port 853 is the IANA-assigned DoT port.
tls://.:853 {
    tls /etc/coredns/certs/cert.pem /etc/coredns/certs/key.pem
    import common
}

# DNS-over-HTTPS — RFC 8484. Default path is /dns-query.
# Clients: curl -H 'accept: application/dns-message' https://host:8443/dns-query?dns=...
https://.:443 {
    tls /etc/coredns/certs/cert.pem /etc/coredns/certs/key.pem
    import common
}