Fixed --insecure flag for DNS, closes #30

ameshkov · ameshkov · commit 69d8a828e095 · 2025-03-21T11:56:41.000+03:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,9 @@ adheres to [Semantic Versioning][semver].
 ### Fixed
 
 * Cannot set User Agent via headers. ([#34][#34])
+* `--insecure` flag is not respected by DNS upstreams. ([#30][#30])
+
+[#30]: https://github.com/ameshkov/gocurl/issues/30
 
 [#34]: https://github.com/ameshkov/gocurl/issues/34
 
diff --git a/internal/config/config.go b/internal/config/config.go
@@ -207,7 +207,7 @@ func ParseConfig() (cfg *Config, err error) {
 	}
 
 	if opts.DNSServers != "" {
-		cfg.DNSServers, err = parseDNSServers(opts.DNSServers)
+		cfg.DNSServers, err = parseDNSServers(opts.DNSServers, opts.Insecure)
 		if err != nil {
 			return nil, fmt.Errorf("invalid dns-servers specified %s: %w", opts.DNSServers, err)
 		}
@@ -349,11 +349,14 @@ func parseResolve(resolve []string) (m map[string][]net.IP, err error) {
 }
 
 // parseDNSServers parses --dns-servers command-line argument and returns the
-// list of upstream.Upstream created from them.
-func parseDNSServers(dnsServers string) (upstreams []upstream.Upstream, err error) {
+// list of upstream.Upstream created from them.  If insecure is true and the
+// upstreams use encrypted DNS, certificate verification will be disabled for
+// them.
+func parseDNSServers(dnsServers string, insecure bool) (upstreams []upstream.Upstream, err error) {
 	addrs := strings.Split(dnsServers, ",")
 	for _, addr := range addrs {
-		u, uErr := upstream.AddressToUpstream(addr, nil)
+		opts := &upstream.Options{InsecureSkipVerify: insecure}
+		u, uErr := upstream.AddressToUpstream(addr, opts)
 		if uErr != nil {
 			return nil, fmt.Errorf("invalid DNS server %s: %w", addr, uErr)
 		}

Original file line number	Diff line number	Diff line change
`@@ -207,7 +207,7 @@ func ParseConfig() (cfg *Config, err error) {`
`207`	`207`	`}`
`208`	`208`
`209`	`209`	`if opts.DNSServers != "" {`
`210`		`- cfg.DNSServers, err = parseDNSServers(opts.DNSServers)`
	`210`	`+ cfg.DNSServers, err = parseDNSServers(opts.DNSServers, opts.Insecure)`
`211`	`211`	`if err != nil {`
`212`	`212`	`return nil, fmt.Errorf("invalid dns-servers specified %s: %w", opts.DNSServers, err)`
`213`	`213`	`}`
`@@ -349,11 +349,14 @@ func parseResolve(resolve []string) (m map[string][]net.IP, err error) {`
`349`	`349`	`}`
`350`	`350`
`351`	`351`	`// parseDNSServers parses --dns-servers command-line argument and returns the`
`352`		`-// list of upstream.Upstream created from them.`
`353`		`-func parseDNSServers(dnsServers string) (upstreams []upstream.Upstream, err error) {`
	`352`	`+// list of upstream.Upstream created from them. If insecure is true and the`
	`353`	`+// upstreams use encrypted DNS, certificate verification will be disabled for`
	`354`	`+// them.`
	`355`	`+func parseDNSServers(dnsServers string, insecure bool) (upstreams []upstream.Upstream, err error) {`
`354`	`356`	`addrs := strings.Split(dnsServers, ",")`
`355`	`357`	`for _, addr := range addrs {`
`356`		`- u, uErr := upstream.AddressToUpstream(addr, nil)`
	`358`	`+ opts := &upstream.Options{InsecureSkipVerify: insecure}`
	`359`	`+ u, uErr := upstream.AddressToUpstream(addr, opts)`
`357`	`360`	`if uErr != nil {`
`358`	`361`	`return nil, fmt.Errorf("invalid DNS server %s: %w", addr, uErr)`
`359`	`362`	`}`