Websocket client connections are vulnerable to man-in-the-middle
attacks via DNS spoofing.
When looking up a WSS endpoint using a DNS TXT record, the server
TLS certificate is incorrectly validated using the name of the
server returned by the TXT record request, not the name of the
the server being connected to. This permits any attacker that
can spoof a DNS record to redirect the user to a server of their
choosing.
Providing a *tls.Config with a ServerName field set to the
correct destination hostname will avoid this issue.Read More