github/portmaster
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Merge pull request #188 from safing/feature/block-dns-servers-in-bypassing-check

Browse Source 
Block DNS servers in prevent bypassing check
This commit is contained in:
Patrick Pacher
2020-11-05 10:04:24 +01:00
committed by GitHub
parent 24d21341fd 7ca61bf24e
commit 2400a3b990
2 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
firewall/bypassing.go
View File

@@ -8,6 +8,10 @@ import (
"github.com/safing/portmaster/profile/endpoints"
)
var (
resolverFilterLists = []string{"17-DNS"}
)
// PreventBypassing checks if the connection should be denied or permitted
// based on some bypass protection checks.
func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
@@ -18,5 +22,11 @@ func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsu
nsutil.NxDomain()
}
if conn.Entity.MatchLists(resolverFilterLists) {
return endpoints.Denied,
"blocked rogue connection to DNS resolver",
nsutil.ZeroIP()
}
return endpoints.NoMatch, "", nil
}

3
profile/config.go
View File

@@ -481,7 +481,8 @@ Examples:
Key: CfgOptionPreventBypassingKey,
Description: `Prevent apps from bypassing the privacy filter.
Current Features:
- Disable Firefox' internal DNS-over-HTTPs resolver`,
- Disable Firefox' internal DNS-over-HTTPs resolver
- Block direct access to public DNS resolvers`,
OptType: config.OptTypeInt,
ExpertiseLevel: config.ExpertiseLevelUser,
ReleaseLevel: config.ReleaseLevelBeta,