diff --git a/Cargo.lock b/Cargo.lock
index e23038aae..cbe2e21e6 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1264,6 +1264,7 @@ dependencies = [
  "hickory-proto",
  "indexmap",
  "log",
+ "rustls 0.23.1",
  "rustls-pki-types",
  "thiserror",
  "tokio",
diff --git a/g3proxy/Cargo.toml b/g3proxy/Cargo.toml
index 28aa8b0ed..dfb7f0b7e 100644
--- a/g3proxy/Cargo.toml
+++ b/g3proxy/Cargo.toml
@@ -95,7 +95,7 @@ tokio-util = { workspace = true, features = ["io"] }
 rustc_version.workspace = true
 
 [features]
-default = ["lua54", "python", "c-ares", "geoip"]
+default = ["lua54", "python", "c-ares", "hickory", "geoip"]
 lua = ["mlua"]
 luajit = ["lua", "mlua/luajit"]
 lua51 = ["lua", "mlua/lua51"]
diff --git a/g3proxy/src/config/resolver/hickory.rs b/g3proxy/src/config/resolver/hickory.rs
index 5abe31e87..4d9ce5f5a 100644
--- a/g3proxy/src/config/resolver/hickory.rs
+++ b/g3proxy/src/config/resolver/hickory.rs
@@ -73,6 +73,10 @@ impl HickoryResolverConfig {
         self.driver.get_server_port()
     }
 
+    pub(crate) fn get_encryption_summary(&self) -> Option<String> {
+        self.driver.get_encryption().map(|c| c.summary())
+    }
+
     pub(crate) fn parse(
         map: &yaml::Hash,
         position: Option<YamlDocPosition>,
diff --git a/lib/g3-resolver/Cargo.toml b/lib/g3-resolver/Cargo.toml
index 555995365..43c724f21 100644
--- a/lib/g3-resolver/Cargo.toml
+++ b/lib/g3-resolver/Cargo.toml
@@ -20,6 +20,7 @@ c-ares-resolver = { workspace = true, optional = true }
 c-ares-sys = { workspace = true, optional = true } # for DEP_ version check
 hickory-client = { workspace = true, optional = true }
 hickory-proto = { workspace  = true, optional = true, features = ["tokio-runtime"] }
+rustls = { workspace = true, optional = true }
 rustls-pki-types = { workspace = true, optional = true }
 flume = { workspace = true, optional = true, features = ["async"] }
 async-recursion = { workspace = true, optional = true }
@@ -30,5 +31,5 @@ g3-hickory-client = { workspace = true, optional = true }
 default = []
 c-ares = ["dep:c-ares", "dep:c-ares-resolver", "dep:c-ares-sys"]
 vendored-c-ares = ["c-ares", "c-ares-resolver/vendored", "c-ares/vendored"]
-hickory = ["dep:hickory-client", "dep:hickory-proto", "dep:flume", "dep:rustls-pki-types", "dep:async-recursion", "dep:g3-hickory-client", "g3-types/rustls"]
+hickory = ["dep:hickory-client", "dep:hickory-proto", "dep:flume", "dep:rustls", "dep:rustls-pki-types", "dep:async-recursion", "dep:g3-hickory-client", "g3-types/rustls"]
 quic = ["g3-types?/quic", "g3-hickory-client?/quic"]
diff --git a/lib/g3-resolver/src/driver/hickory/client.rs b/lib/g3-resolver/src/driver/hickory/client.rs
index e11bad0fa..6eed801ed 100644
--- a/lib/g3-resolver/src/driver/hickory/client.rs
+++ b/lib/g3-resolver/src/driver/hickory/client.rs
@@ -24,7 +24,8 @@ use async_recursion::async_recursion;
 use hickory_client::client::{AsyncClient, ClientHandle};
 use hickory_proto::iocompat::AsyncIoTokioAsStd;
 use hickory_proto::rr::{DNSClass, Name, RData, RecordType};
-use rustls::{ClientConfig, ServerName};
+use rustls::ClientConfig;
+use rustls_pki_types::ServerName;
 use tokio::net::{TcpStream, UdpSocket};
 use tokio::sync::mpsc;
 
@@ -307,7 +308,7 @@ impl HickoryClientConfig {
     async fn new_dns_over_tls_client(
         &self,
         tls_client: ClientConfig,
-        tls_name: ServerName,
+        tls_name: ServerName<'static>,
     ) -> anyhow::Result<AsyncClient> {
         use hickory_proto::BufDnsStreamHandle;
 
@@ -337,7 +338,7 @@ impl HickoryClientConfig {
     async fn new_dns_over_h2_client(
         &self,
         tls_client: ClientConfig,
-        tls_name: ServerName,
+        tls_name: ServerName<'static>,
     ) -> anyhow::Result<AsyncClient> {
         let client_connect = g3_hickory_client::io::h2::connect(
             self.target,
@@ -359,7 +360,7 @@ impl HickoryClientConfig {
     async fn new_dns_over_quic_client(
         &self,
         tls_client: ClientConfig,
-        tls_name: &ServerName,
+        tls_name: &ServerName<'static>,
     ) -> anyhow::Result<AsyncClient> {
         let tls_name = match tls_name {
             ServerName::DnsName(domain) => domain.as_ref().to_string(),
@@ -387,7 +388,7 @@ impl HickoryClientConfig {
     async fn new_dns_over_h3_client(
         &self,
         tls_client: ClientConfig,
-        tls_name: &ServerName,
+        tls_name: &ServerName<'static>,
     ) -> anyhow::Result<AsyncClient> {
         let tls_name = match tls_name {
             ServerName::DnsName(domain) => domain.as_ref().to_string(),
diff --git a/lib/g3-types/src/net/dns/encryption.rs b/lib/g3-types/src/net/dns/encryption.rs
index 9184e45b5..624e87aaa 100644
--- a/lib/g3-types/src/net/dns/encryption.rs
+++ b/lib/g3-types/src/net/dns/encryption.rs
@@ -143,6 +143,20 @@ impl DnsEncryptionConfigBuilder {
         self.tls_config = config_builder;
     }
 
+    pub fn summary(&self) -> String {
+        match &self.tls_name {
+            ServerName::DnsName(n) => format!("{}({})", self.protocol.as_str(), n.as_ref()),
+            ServerName::IpAddress(ip) => {
+                format!(
+                    "{}({})",
+                    self.protocol.as_str(),
+                    std::net::IpAddr::from(*ip)
+                )
+            }
+            _ => format!("{}(other)", self.protocol.as_str()), // FIXME support other server name variants
+        }
+    }
+
     pub fn build_tls_client_config(&self) -> anyhow::Result<RustlsClientConfig> {
         self.tls_config.build()
     }