From bef4ab778487d08225ce88a9e1444ed351f8cbf2 Mon Sep 17 00:00:00 2001
From: Vladislav Yarmak <vladislav@vm-0.com>
Date: Thu, 8 Jan 2026 22:38:17 +0200
Subject: [PATCH] use custom CA pool for DoT

---
 main.go             |  2 +-
 resolver/factory.go | 11 +++++++++--
 resolver/fast.go    |  5 +++--
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/main.go b/main.go
index aa8cf20..7df534c 100644
--- a/main.go
+++ b/main.go
@@ -290,7 +290,7 @@ func run() int {
 		mainLogger.Info("Using fixed API host address = %s", args.apiAddress)
 		seclientDialer = dialer.NewFixedDialer(args.apiAddress, seclientDialer)
 	} else if len(args.bootstrapDNS.values) > 0 {
-		resolver, err := resolver.FastFromURLs(args.bootstrapDNS.values...)
+		resolver, err := resolver.FastFromURLs(caPool, args.bootstrapDNS.values...)
 		if err != nil {
 			mainLogger.Critical("Unable to instantiate DNS resolver: %v", err)
 			return 4
diff --git a/resolver/factory.go b/resolver/factory.go
index d650174..7a6c2c5 100644
--- a/resolver/factory.go
+++ b/resolver/factory.go
@@ -1,6 +1,8 @@
 package resolver
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"net"
 	"net/url"
@@ -9,7 +11,7 @@ import (
 	"github.com/ncruces/go-dns"
 )
 
-func FromURL(u string) (*net.Resolver, error) {
+func FromURL(u string, caPool *x509.CertPool) (*net.Resolver, error) {
 begin:
 	parsed, err := url.Parse(u)
 	if err != nil {
@@ -54,7 +56,12 @@ begin:
 			port = "853"
 		}
 		hp := net.JoinHostPort(host, port)
-		return dns.NewDoTResolver(hp, dns.DoTAddresses(hp))
+		return dns.NewDoTResolver(hp,
+			dns.DoTAddresses(hp),
+			dns.DoTConfig(&tls.Config{
+				RootCAs: caPool,
+			}),
+		)
 	default:
 		return nil, errors.New("not implemented")
 	}
diff --git a/resolver/fast.go b/resolver/fast.go
index bb1508b..692641f 100644
--- a/resolver/fast.go
+++ b/resolver/fast.go
@@ -2,6 +2,7 @@ package resolver
 
 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 	"net/netip"
 
@@ -16,10 +17,10 @@ type FastResolver struct {
 	upstreams []LookupNetIPer
 }
 
-func FastFromURLs(urls ...string) (LookupNetIPer, error) {
+func FastFromURLs(caPool *x509.CertPool, urls ...string) (LookupNetIPer, error) {
 	resolvers := make([]LookupNetIPer, 0, len(urls))
 	for i, u := range urls {
-		res, err := FromURL(u)
+		res, err := FromURL(u, caPool)
 		if err != nil {
 			return nil, fmt.Errorf("unable to construct resolver #%d (%q): %w", i, u, err)
 		}