use custom CA pool for DoT

2026-05-15 07:01:00 +00:00 · 2026-01-08 22:38:17 +02:00
parent a9074c0c92
commit bef4ab7784
3 changed files with 13 additions and 5 deletions
@@ -1,6 +1,8 @@
 package resolver

 import (
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"net"
 	"net/url"
@@ -9,7 +11,7 @@ import (
 	"github.com/ncruces/go-dns"
 )

-func FromURL(u string) (*net.Resolver, error) {
+func FromURL(u string, caPool *x509.CertPool) (*net.Resolver, error) {
 begin:
 	parsed, err := url.Parse(u)
 	if err != nil {
@@ -54,7 +56,12 @@ begin:
 			port = "853"
 		}
 		hp := net.JoinHostPort(host, port)
-		return dns.NewDoTResolver(hp, dns.DoTAddresses(hp))
+		return dns.NewDoTResolver(hp,
+			dns.DoTAddresses(hp),
+			dns.DoTConfig(&tls.Config{
+				RootCAs: caPool,
+			}),
+		)
 	default:
 		return nil, errors.New("not implemented")
 	}
@@ -2,6 +2,7 @@ package resolver

 import (
 	"context"
+	"crypto/x509"
 	"fmt"
 	"net/netip"

@@ -16,10 +17,10 @@ type FastResolver struct {
 	upstreams []LookupNetIPer
 }

-func FastFromURLs(urls ...string) (LookupNetIPer, error) {
+func FastFromURLs(caPool *x509.CertPool, urls ...string) (LookupNetIPer, error) {
 	resolvers := make([]LookupNetIPer, 0, len(urls))
 	for i, u := range urls {
-		res, err := FromURL(u)
+		res, err := FromURL(u, caPool)
 		if err != nil {
 			return nil, fmt.Errorf("unable to construct resolver #%d (%q): %w", i, u, err)
 		}