From e8179f0cb7894c50d9792df8801cae7ecb351d3e Mon Sep 17 00:00:00 2001
From: Cottand <nico.dc@outlook.com>
Date: Fri, 1 Nov 2024 19:42:57 +0000
Subject: [PATCH] update docs to cover DoH privacy via an additional proxy

---
 doc/src/DNS/Privacy.md | 29 +++++++++++++++++++++--------
 handler.go             |  2 ++
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/doc/src/DNS/Privacy.md b/doc/src/DNS/Privacy.md
index d112d86..cadc3cc 100644
--- a/doc/src/DNS/Privacy.md
+++ b/doc/src/DNS/Privacy.md
@@ -10,13 +10,6 @@ for most major browsers ([see how here](https://developers.cloudflare.com/1.1.1.
 
 See how to set it up for leng at [DNS-over-HTTP](DNS-over-HTTPS-(DoH).md).
 
-If all you want is to use DoH, and you do not really care about ad/tracking-blocking,
-using leng instead of an existing DoH provider directly has little
-benefit: you will be getting
-all the features of DoH, but the DNS provider will still know what you are visiting.
-There isn't an easy way around this: we need to resolve your DNS query somehow!
-
-
 
 ## As a DoH proxy
 
@@ -27,8 +20,9 @@ If you have your own private secure network, you can stop
 attackers from learning what websites you visit by using leng as
 a secure proxy:
 
-```mermaid
+<div style="text-align: center">
 
+```mermaid
 graph TD
     subgraph Secure Network
         U("🧘 User") --> |"🔓 Insecure\nDNS-over-UDP"|L[Leng]
@@ -37,6 +31,8 @@ graph TD
     A("👿 Attacker") ---> |Cannot see contents\nof DNS requests | Up
 ```
 
+</div>
+
 This way you allow 'insecure' DNS, but only inside your network,
 and your requests are private to external attackers.
 
@@ -48,3 +44,20 @@ other methods. You can choose the upstream DoH resolver in the
 > Note that this method is only as secure as your network is!
 > Ideally set up as many devices as possible to use DoH directly
 
+
+## Preserving privacy against a single upstream
+
+If you do not trust upstream providers with your privacy, ideally you should
+not send all your requests to any one of them. Because of the authoritative nature of DNS, asking _some_ upstream
+cannot be avoided, but the best you can do is use a fully recursive resolver like [unbound](https://github.com/NLnetLabs/unbound).
+You can still use non-recursive DNS proxies (leng, blocky, or CoreDNS) and their features
+by using unbound as your upstream, and letting unbound resolve your queries.
+
+<div style="text-align: center">
+
+```mermaid
+graph LR
+
+you(("You")) --> leng(leng) --> unbound(unbound) -.-> u1["upstream A"] & u2["upstream B"] & u3["upstream C"]
+```
+</div>
diff --git a/handler.go b/handler.go
index 8519894..feaf7bf 100644
--- a/handler.go
+++ b/handler.go
@@ -225,6 +225,8 @@ func (h *EventLoop) responseFor(Net string, req *dns.Msg, _local net.Addr, _remo
 		return nil, false
 	}
 
+	// if we were doing DNS over UDP, and we got a truncated response,
+	// we retry in TCP in hopes that we do not get a truncated one again.
 	if mesg.Truncated && Net == "udp" {
 		mesg, err = h.resolver.Lookup("tcp", req, h.config.Timeout, h.config.Interval, h.config.Upstream.Nameservers, h.config.Upstream.DoH)
 		if err != nil {