diff --git a/cmd/boulder-va/main.go b/cmd/boulder-va/main.go
index ab196c2ff..b364a744f 100644
--- a/cmd/boulder-va/main.go
+++ b/cmd/boulder-va/main.go
@@ -58,6 +58,7 @@ type Config struct {
 		// Leaving this value zero means the VA won't early-cancel slow remotes.
 		SlowRemoteTimeout config.Duration
 		Features          features.Config
+		LabCADomains      []string
 	}
 
 	Syslog        cmd.SyslogConfig
@@ -87,12 +88,16 @@ func main() {
 	clk := clock.New()
 
 	var servers bdns.ServerProvider
+	proto := "udp"
+	if features.Get().DOH {
+		proto = "tcp"
+	}
 
 	if len(c.VA.DNSStaticResolvers) != 0 {
 		servers, err = bdns.NewStaticProvider(c.VA.DNSStaticResolvers)
 		cmd.FailOnError(err, "Couldn't start static DNS server resolver")
 	} else {
-		servers, err = bdns.StartDynamicProvider(c.VA.DNSProvider, 60*time.Second, "tcp")
+		servers, err = bdns.StartDynamicProvider(c.VA.DNSProvider, 60*time.Second, proto)
 		cmd.FailOnError(err, "Couldn't start dynamic DNS server resolver")
 	}
 	defer servers.Stop()
@@ -142,6 +147,7 @@ func main() {
 		va.PrimaryPerspective,
 		"",
 		iana.IsReservedAddr,
+		c.VA.LabCADomains,
 		c.VA.SlowRemoteTimeout.Duration,
 		c.VA.DNSAllowLoopbackAddresses,
 	)