2 files changed, 25 insertions, 9 deletions

diff --git a/internal/server/doh.go b/internal/server/doh.go
index 0feb094..9c04d2c 100644
--- a/internal/server/doh.go
+++ b/internal/server/doh.go
@@ -10,6 +10,13 @@ import (
 	"linum/internal/cache"
 )
 
+func decodeDNSParam(s string) ([]byte, error) {
+	if b, err := base64.RawURLEncoding.DecodeString(s); err == nil {
+		return b, nil
+	}
+	return base64.URLEncoding.DecodeString(s)
+}
+
 func (s *Server) dohHandler(w http.ResponseWriter, r *http.Request) {
 	clientIP := parseHTTPClientIP(r.RemoteAddr)
 	if !s.isAllowed(clientIP) {
@@ -44,7 +51,7 @@ func (s *Server) dohHandler(w http.ResponseWriter, r *http.Request) {
 			http.Error(w, "missing dns param", http.StatusBadRequest)
 			return
 		}
-		decoded, err := base64.RawURLEncoding.DecodeString(param)
+		decoded, err := decodeDNSParam(param)
 		if err != nil {
 			http.Error(w, "invalid base64url", http.StatusBadRequest)
 			return
diff --git a/internal/server/server.go b/internal/server/server.go
index 7bdc917..6661722 100644
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -33,12 +33,12 @@ type Server struct {
 	rateLimiter *rateLimiter
 	dot         *dns.Server
 
-	mu     sync.RWMutex
-	upUDP  bool
-	upTCP  bool
-	upDoH  bool
-	upDoT  bool
-	cancel context.CancelFunc
+	mu        sync.RWMutex
+	upUDP     bool
+	upTCP     bool
+	upDoH     bool
+	upDoT     bool
+	cancel    context.CancelFunc
 	closeOnce sync.Once
 }
 
@@ -117,6 +117,10 @@ func New(udpAddr, tcpAddr, dohAddr, dotAddr string, tlsCfg *tls.Config, logger *
 			Handler:      dohMux,
 			ReadTimeout:  5 * time.Second,
 			WriteTimeout: 5 * time.Second,
+			TLSConfig:    tlsCfg,
+		}
+		if tlsCfg == nil {
+			slog.Warn("doh listener configured without tls")
 		}
 	}
 
@@ -163,8 +167,13 @@ func (s *Server) Run(ctx context.Context) error {
 
 	if s.doh != nil {
 		go func() {
-			s.logger.Info("doh listener active", "addr", s.doh.Addr)
-			errCh <- s.doh.ListenAndServe()
+			s.logger.Info("doh listener active", "addr", s.doh.Addr, "tls", s.doh.TLSConfig != nil)
+			if s.doh.TLSConfig != nil {
+				errCh <- s.doh.ListenAndServeTLS("", "")
+			} else {
+				s.logger.Warn("doh listener serving plain http")
+				errCh <- s.doh.ListenAndServe()
+			}
 		}()
 	}
 	if s.dot != nil {