From e16ce0b40fb64ef5c9f780b5f2852b5c4541e896 Mon Sep 17 00:00:00 2001 From: Daniel Date: Mon, 23 Aug 2021 14:41:34 +0200 Subject: [PATCH] Add exception for ICMP from dns server bypass prevention --- firewall/bypassing.go | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/firewall/bypassing.go b/firewall/bypassing.go index a7af6ee1..822a21ce 100644 --- a/firewall/bypassing.go +++ b/firewall/bypassing.go @@ -6,6 +6,7 @@ import ( "github.com/safing/portmaster/nameserver/nsutil" "github.com/safing/portmaster/network" + "github.com/safing/portmaster/network/packet" "github.com/safing/portmaster/profile/endpoints" ) @@ -16,17 +17,23 @@ var ( // PreventBypassing checks if the connection should be denied or permitted // based on some bypass protection checks. func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) { - // Block firefox canary domain to disable DoH + // Block firefox canary domain to disable DoH. if strings.ToLower(conn.Entity.Domain) == "use-application-dns.net." { return endpoints.Denied, "blocked canary domain to prevent enabling of DNS-over-HTTPs", nsutil.NxDomain() } - if conn.Entity.MatchLists(resolverFilterLists) { - return endpoints.Denied, - "blocked rogue connection to DNS resolver", - nsutil.ZeroIP() + // Block direct connections to known DNS resolvers. + switch packet.IPProtocol(conn.Entity.Protocol) { + case packet.ICMP, packet.ICMPv6: + // Make an exception for ICMP, as these IPs are also often used for debugging. + default: + if conn.Entity.MatchLists(resolverFilterLists) { + return endpoints.Denied, + "blocked rogue connection to DNS resolver", + nsutil.BlockIP() + } } return endpoints.NoMatch, "", nil