Security-minded communications for Go. Primary goal is to exclusively use HTTPS/TLS for everything, providing both security and privacy for common network needs (DNS, NTP, etc).
The functionality includes:
DNS-over-HTTPS (DOH) client (RFC8484), biased to Cloudflare, Quad9, and Google servers, and utilizing an internal cache.
An HTTPS client, using DOH for DNS lookups, that includes various methods to verify the server/server certificate (system roots, custom roots, pins, etc). Specific support is provided for Cloudfront and Cloudflare, a la CDN domain-fronting style obfuscation of traffic destination. The goal is to attempt to prevent TLS SNI leakage (until Golang natively supports ESNI).
A method to bootstrap receiving current date/time over HTTPS (instead of via NTP), for IoT/RTC-challenged devices. The process is more complicated than it sounds, because you need a reasonably accurate concept of time in order to correctly validate the HTTPS certificate chain and get to the point where you can trust the date/time provided to you.
The code is generally concurrency-safe for use once the client is configured and allocated, but not for live config changes to Client object while running concurrent to lookup/request operations.