From 40587b62b88f241b0cffcbf9799bd64a3df89dbd Mon Sep 17 00:00:00 2001
From: wwqgtxx <wwqgtxx@gmail.com>
Date: Fri, 6 Jun 2025 00:52:12 +0800
Subject: [PATCH] feat: all dns client support `skip-cert-verify` params

---
 dns/client.go |  8 ++++++--
 dns/doq.go    | 13 +++++++++----
 dns/util.go   |  4 ++--
 3 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/dns/client.go b/dns/client.go
index 90c79d70..359cb443 100644
--- a/dns/client.go
+++ b/dns/client.go
@@ -108,9 +108,9 @@ func (c *client) ExchangeContext(ctx context.Context, m *D.Msg) (*D.Msg, error)
 
 func (c *client) ResetConnection() {}
 
-func newClient(addr string, resolver *Resolver, netType string, proxyAdapter C.ProxyAdapter, proxyName string) *client {
+func newClient(addr string, resolver *Resolver, netType string, params map[string]string, proxyAdapter C.ProxyAdapter, proxyName string) *client {
 	host, port, _ := net.SplitHostPort(addr)
-	return &client{
+	c := &client{
 		Client: &D.Client{
 			Net: netType,
 			TLSConfig: &tls.Config{
@@ -123,4 +123,8 @@ func newClient(addr string, resolver *Resolver, netType string, proxyAdapter C.P
 		host:   host,
 		dialer: newDNSDialer(resolver, proxyAdapter, proxyName),
 	}
+	if params["skip-cert-verify"] == "true" {
+		c.TLSConfig.InsecureSkipVerify = true
+	}
+	return c
 }
diff --git a/dns/doq.go b/dns/doq.go
index ae16dce2..f16300ef 100644
--- a/dns/doq.go
+++ b/dns/doq.go
@@ -61,15 +61,16 @@ type dnsOverQUIC struct {
 	bytesPool      *sync.Pool
 	bytesPoolGuard sync.Mutex
 
-	addr   string
-	dialer *dnsDialer
+	addr           string
+	dialer         *dnsDialer
+	skipCertVerify bool
 }
 
 // type check
 var _ dnsClient = (*dnsOverQUIC)(nil)
 
 // newDoQ returns the DNS-over-QUIC Upstream.
-func newDoQ(addr string, resolver *Resolver, proxyAdapter C.ProxyAdapter, proxyName string) *dnsOverQUIC {
+func newDoQ(addr string, resolver *Resolver, params map[string]string, proxyAdapter C.ProxyAdapter, proxyName string) *dnsOverQUIC {
 	doq := &dnsOverQUIC{
 		addr:   addr,
 		dialer: newDNSDialer(resolver, proxyAdapter, proxyName),
@@ -79,6 +80,10 @@ func newDoQ(addr string, resolver *Resolver, proxyAdapter C.ProxyAdapter, proxyN
 		},
 	}
 
+	if params["skip-cert-verify"] == "true" {
+		doq.skipCertVerify = true
+	}
+
 	runtime.SetFinalizer(doq, (*dnsOverQUIC).Close)
 	return doq
 }
@@ -329,7 +334,7 @@ func (doq *dnsOverQUIC) openConnection(ctx context.Context) (conn quic.Connectio
 	tlsConfig := ca.GetGlobalTLSConfig(
 		&tls.Config{
 			ServerName:         host,
-			InsecureSkipVerify: false,
+			InsecureSkipVerify: doq.skipCertVerify,
 			NextProtos: []string{
 				NextProtoDQ,
 			},
diff --git a/dns/util.go b/dns/util.go
index 97496965..c0fd0ea8 100644
--- a/dns/util.go
+++ b/dns/util.go
@@ -101,9 +101,9 @@ func transform(servers []NameServer, resolver *Resolver) []dnsClient {
 		case "rcode":
 			c = newRCodeClient(s.Addr)
 		case "quic":
-			c = newDoQ(s.Addr, resolver, s.ProxyAdapter, s.ProxyName)
+			c = newDoQ(s.Addr, resolver, s.Params, s.ProxyAdapter, s.ProxyName)
 		default:
-			c = newClient(s.Addr, resolver, s.Net, s.ProxyAdapter, s.ProxyName)
+			c = newClient(s.Addr, resolver, s.Net, s.Params, s.ProxyAdapter, s.ProxyName)
 		}
 
 		c = warpClientWithEdns0Subnet(c, s.Params)