diff --git a/internal/cmd/oohelperd/internal/webconnectivity/http.go b/internal/cmd/oohelperd/internal/webconnectivity/http.go
index d98710f..8400258 100644
--- a/internal/cmd/oohelperd/internal/webconnectivity/http.go
+++ b/internal/cmd/oohelperd/internal/webconnectivity/http.go
@@ -8,6 +8,7 @@ import (
 	"sync"
 
 	"github.com/ooni/probe-cli/v3/internal/engine/experiment/webconnectivity"
+	"github.com/ooni/probe-cli/v3/internal/model"
 	"github.com/ooni/probe-cli/v3/internal/netxlite"
 	"github.com/ooni/probe-cli/v3/internal/tracex"
 )
@@ -18,7 +19,7 @@ type CtrlHTTPResponse = webconnectivity.ControlHTTPRequestResult
 
 // HTTPConfig configures the HTTP check.
 type HTTPConfig struct {
-	Client            *http.Client
+	Client            model.HTTPClient
 	Headers           map[string][]string
 	MaxAcceptableBody int64
 	Out               chan CtrlHTTPResponse
diff --git a/internal/cmd/oohelperd/internal/webconnectivity/measure.go b/internal/cmd/oohelperd/internal/webconnectivity/measure.go
index ccd218b..971df6c 100644
--- a/internal/cmd/oohelperd/internal/webconnectivity/measure.go
+++ b/internal/cmd/oohelperd/internal/webconnectivity/measure.go
@@ -3,7 +3,6 @@ package webconnectivity
 import (
 	"context"
 	"net"
-	"net/http"
 	"net/url"
 	"sync"
 
@@ -21,7 +20,7 @@ type (
 
 // MeasureConfig contains configuration for Measure.
 type MeasureConfig struct {
-	Client            *http.Client
+	Client            model.HTTPClient
 	Dialer            model.Dialer
 	MaxAcceptableBody int64
 	Resolver          model.Resolver
diff --git a/internal/cmd/oohelperd/internal/webconnectivity/webconnectivity.go b/internal/cmd/oohelperd/internal/webconnectivity/webconnectivity.go
index 947241a..01a4480 100644
--- a/internal/cmd/oohelperd/internal/webconnectivity/webconnectivity.go
+++ b/internal/cmd/oohelperd/internal/webconnectivity/webconnectivity.go
@@ -14,7 +14,7 @@ import (
 
 // Handler implements the Web Connectivity test helper HTTP API.
 type Handler struct {
-	Client            *http.Client
+	Client            model.HTTPClient
 	Dialer            model.Dialer
 	MaxAcceptableBody int64
 	Resolver          model.Resolver
diff --git a/internal/cmd/oohelperd/oohelperd.go b/internal/cmd/oohelperd/oohelperd.go
index 42ad103..9da6446 100644
--- a/internal/cmd/oohelperd/oohelperd.go
+++ b/internal/cmd/oohelperd/oohelperd.go
@@ -10,32 +10,33 @@ import (
 
 	"github.com/apex/log"
 	"github.com/ooni/probe-cli/v3/internal/cmd/oohelperd/internal/webconnectivity"
-	"github.com/ooni/probe-cli/v3/internal/engine/netx"
 	"github.com/ooni/probe-cli/v3/internal/model"
-	"github.com/ooni/probe-cli/v3/internal/runtimex"
+	"github.com/ooni/probe-cli/v3/internal/netxlite"
 )
 
 const maxAcceptableBody = 1 << 24
 
 var (
-	dialer    model.Dialer
-	endpoint  = flag.String("endpoint", ":8080", "Endpoint where to listen")
-	httpx     *http.Client
-	resolver  model.Resolver
-	srvcancel context.CancelFunc
-	srvctx    context.Context
-	srvwg     = new(sync.WaitGroup)
+	dialer     model.Dialer
+	endpoint   = flag.String("endpoint", ":8080", "Endpoint where to listen")
+	httpClient model.HTTPClient
+	resolver   model.Resolver
+	srvcancel  context.CancelFunc
+	srvctx     context.Context
+	srvwg      = new(sync.WaitGroup)
 )
 
 func init() {
 	srvctx, srvcancel = context.WithCancel(context.Background())
-	dialer = netx.NewDialer(netx.Config{Logger: log.Log})
-	txp := netx.NewHTTPTransport(netx.Config{Logger: log.Log})
-	httpx = &http.Client{Transport: txp}
-	// fix: use 8.8.8.8:53/udp so we pin to a specific resolver.
-	var err error
-	resolver, err = netx.NewDNSClient(netx.Config{Logger: log.Log}, "udp://8.8.8.8:53")
-	runtimex.PanicOnError(err, "NewDNSClient failed")
+	// Implementation note: pin to a specific resolver so we don't depend upon the
+	// default resolver configured by the box. Also, use an encrypted transport thus
+	// we're less vulnerable to any policy implemented by the box's provider.
+	resolver = netxlite.NewParallelDNSOverHTTPSResolver(log.Log, "https://8.8.8.8/dns-query")
+	thx := netxlite.NewTLSHandshakerStdlib(log.Log)
+	dialer = netxlite.NewDialerWithResolver(log.Log, resolver)
+	tlsDialer := netxlite.NewTLSDialer(dialer, thx)
+	txp := netxlite.NewHTTPTransport(log.Log, dialer, tlsDialer)
+	httpClient = netxlite.NewHTTPClient(txp)
 }
 
 func shutdown(srv *http.Server) {
@@ -58,7 +59,7 @@ func main() {
 func testableMain() {
 	mux := http.NewServeMux()
 	mux.Handle("/", webconnectivity.Handler{
-		Client:            httpx,
+		Client:            httpClient,
 		Dialer:            dialer,
 		MaxAcceptableBody: maxAcceptableBody,
 		Resolver:          resolver,