What the backend looks like:

Standard DNS (port 53):

• User (or dnsdist) contacts Pi-hole directly
• Pi-hole checks against the blocklists for a match.
• If it matches, 0.0.0.0 and :: (null addresses for IPv4 and IPv6) are returned. If it does not match, it continues.
• Pi-hole contacts localhost:5453, a dnsproxy instance
• dnsproxy contacts one of its DoH servers.
• dnsproxy returns the address(es) to Pi-hole.
• Pi-hole returns the address(es) to the user.

Secure DNS:

• User contacts dnsdist @ (tls/https)://doh.archuser.org/(dns-query)
• Dnsdist asks localhost:53 (the Pi-hole) for the requested domain.
• See Standard DNS.
• Once dnsdist receives the IP from Pi-hole, it is sent back to the user.

DNS Lookup:

• User enters a DoH/DoT resolver.
• User enters domain to lookup.
• User enters record type to lookup (if left empty, all records will be retuened).
• query.php recives this information.
• query.php checks for potentially dangerous inputs like shell commands. It will fail if detected.
• query.php contacts the q command.
• query.php runs "q -s (DoH/DoT server) (DOMAIN) -t (RECORD TYPE)" and returns the output to the user