Apply global DNS resolvers to reverse proxy and ACME server modules

Siomachkin · Siomachkin · commit 83175d6d59a1 · 2025-11-09T22:20:47.000+01:00
diff --git a/modules/caddyhttp/reverseproxy/httptransport.go b/modules/caddyhttp/reverseproxy/httptransport.go
@@ -269,6 +269,34 @@ func (h *HTTPTransport) NewTransport(caddyCtx caddy.Context) (*http.Transport, e
 				return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
 			},
 		}
+	} else {
+		// If no local resolver is configured, check for global resolvers from TLS app
+		tlsAppIface, err := caddyCtx.App("tls")
+		if err == nil {
+			tlsApp := tlsAppIface.(*caddytls.TLS)
+			if len(tlsApp.Resolvers) > 0 {
+				// Create UpstreamResolver from global resolvers
+				h.Resolver = &UpstreamResolver{
+					Addresses: tlsApp.Resolvers,
+				}
+				err := h.Resolver.ParseAddresses()
+				if err != nil {
+					return nil, err
+				}
+				d := &net.Dialer{
+					Timeout:       time.Duration(h.DialTimeout),
+					FallbackDelay: time.Duration(h.FallbackDelay),
+				}
+				dialer.Resolver = &net.Resolver{
+					PreferGo: true,
+					Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
+						//nolint:gosec
+						addr := h.Resolver.netAddrs[weakrand.Intn(len(h.Resolver.netAddrs))]
+						return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
+					},
+				}
+			}
+		}
 	}
 
 	dialContext := func(ctx context.Context, network, address string) (net.Conn, error) {
diff --git a/modules/caddyhttp/reverseproxy/upstreams.go b/modules/caddyhttp/reverseproxy/upstreams.go
@@ -15,6 +15,7 @@ import (
 	"go.uber.org/zap/zapcore"
 
 	"github.com/caddyserver/caddy/v2"
+	"github.com/caddyserver/caddy/v2/modules/caddytls"
 )
 
 func init() {
@@ -106,6 +107,34 @@ func (su *SRVUpstreams) Provision(ctx caddy.Context) error {
 				return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
 			},
 		}
+	} else {
+		// If no local resolver is configured, check for global resolvers from TLS app
+		tlsAppIface, err := ctx.App("tls")
+		if err == nil {
+			tlsApp := tlsAppIface.(*caddytls.TLS)
+			if len(tlsApp.Resolvers) > 0 {
+				// Create UpstreamResolver from global resolvers
+				su.Resolver = &UpstreamResolver{
+					Addresses: tlsApp.Resolvers,
+				}
+				err := su.Resolver.ParseAddresses()
+				if err != nil {
+					return err
+				}
+				d := &net.Dialer{
+					Timeout:       time.Duration(su.DialTimeout),
+					FallbackDelay: time.Duration(su.FallbackDelay),
+				}
+				su.resolver = &net.Resolver{
+					PreferGo: true,
+					Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
+						//nolint:gosec
+						addr := su.Resolver.netAddrs[weakrand.Intn(len(su.Resolver.netAddrs))]
+						return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
+					},
+				}
+			}
+		}
 	}
 	if su.resolver == nil {
 		su.resolver = net.DefaultResolver
@@ -326,6 +355,34 @@ func (au *AUpstreams) Provision(ctx caddy.Context) error {
 				return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
 			},
 		}
+	} else {
+		// If no local resolver is configured, check for global resolvers from TLS app
+		tlsAppIface, err := ctx.App("tls")
+		if err == nil {
+			tlsApp := tlsAppIface.(*caddytls.TLS)
+			if len(tlsApp.Resolvers) > 0 {
+				// Create UpstreamResolver from global resolvers
+				au.Resolver = &UpstreamResolver{
+					Addresses: tlsApp.Resolvers,
+				}
+				err := au.Resolver.ParseAddresses()
+				if err != nil {
+					return err
+				}
+				d := &net.Dialer{
+					Timeout:       time.Duration(au.DialTimeout),
+					FallbackDelay: time.Duration(au.FallbackDelay),
+				}
+				au.resolver = &net.Resolver{
+					PreferGo: true,
+					Dial: func(ctx context.Context, _, _ string) (net.Conn, error) {
+						//nolint:gosec
+						addr := au.Resolver.netAddrs[weakrand.Intn(len(au.Resolver.netAddrs))]
+						return d.DialContext(ctx, addr.Network, addr.JoinHostPort(0))
+					},
+				}
+			}
+		}
 	}
 	if au.resolver == nil {
 		au.resolver = net.DefaultResolver
diff --git a/modules/caddypki/acmeserver/acmeserver.go b/modules/caddypki/acmeserver/acmeserver.go
@@ -40,6 +40,7 @@ import (
 	"github.com/caddyserver/caddy/v2"
 	"github.com/caddyserver/caddy/v2/modules/caddyhttp"
 	"github.com/caddyserver/caddy/v2/modules/caddypki"
+	"github.com/caddyserver/caddy/v2/modules/caddytls"
 )
 
 func init() {
@@ -287,7 +288,19 @@ func (ash Handler) openDatabase() (*db.AuthDB, error) {
 // makeClient creates an ACME client which will use a custom
 // resolver instead of net.DefaultResolver.
 func (ash Handler) makeClient() (acme.Client, error) {
-	for _, v := range ash.Resolvers {
+	// If no local resolvers are configured, check for global resolvers from TLS app
+	resolversToUse := ash.Resolvers
+	if len(resolversToUse) == 0 {
+		tlsAppIface, err := ash.ctx.App("tls")
+		if err == nil {
+			tlsApp := tlsAppIface.(*caddytls.TLS)
+			if len(tlsApp.Resolvers) > 0 {
+				resolversToUse = tlsApp.Resolvers
+			}
+		}
+	}
+
+	for _, v := range resolversToUse {
 		addr, err := caddy.ParseNetworkAddressWithDefaults(v, "udp", 53)
 		if err != nil {
 			return nil, err
