fix: allow secondary DNS usage when AmneziaDNS is disabled (#1583)

* Allow secondary DNS usage when AmneziaDNS is disabled * Don't setup secondary DNS for OpenVPN with AmneziaDNS --------- Co-authored-by: vladimir.kuznetsov <nethiuswork@gmail.com>
2025-07-01 19:16:58 -07:00 · 2025-07-01 19:16:58 -07:00 · b341934863
commit b341934863
parent 127f8ed3bb
10 changed files with 116 additions and 32 deletions
--- a/client/platforms/linux/daemon/wireguardutilslinux.cpp
+++ b/client/platforms/linux/daemon/wireguardutilslinux.cpp
@ -140,7 +140,10 @@ bool WireguardUtilsLinux::addInterface(const InterfaceConfig& config) {
    } else {
        if (config.m_killSwitchEnabled) {
            FirewallParams params { };
-            params.dnsServers.append(config.m_dnsServer);
+            params.dnsServers.append(config.m_primaryDnsServer);
+            if (!config.m_secondaryDnsServer.isEmpty()) {
+                params.dnsServers.append(config.m_secondaryDnsServer);
+            }
            if (config.m_allowedIPAddressRanges.contains(IPAddress("0.0.0.0/0"))) {
                params.blockAll = true;
                if (config.m_excludedAddresses.size()) {
--- a/client/platforms/macos/daemon/wireguardutilsmacos.cpp
+++ b/client/platforms/macos/daemon/wireguardutilsmacos.cpp
@ -136,26 +136,29 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
  if (err != 0) {
    logger.error() << "Interface configuration failed:" << strerror(err);
  } else {
-      if (config.m_killSwitchEnabled) {
-        FirewallParams params { };
-        params.dnsServers.append(config.m_dnsServer);
+    if (config.m_killSwitchEnabled) {
+      FirewallParams params { };
+      params.dnsServers.append(config.m_primaryDnsServer);
+      if (!config.m_secondaryDnsServer.isEmpty()) {
+          params.dnsServers.append(config.m_secondaryDnsServer);
+      }

-        if (config.m_allowedIPAddressRanges.contains(IPAddress("0.0.0.0/0"))) {
+      if (config.m_allowedIPAddressRanges.contains(IPAddress("0.0.0.0/0"))) {
          params.blockAll = true;
          if (config.m_excludedAddresses.size()) {
-            params.allowNets = true;
-            foreach (auto net, config.m_excludedAddresses) {
-              params.allowAddrs.append(net.toUtf8());
-            }
+              params.allowNets = true;
+              foreach (auto net, config.m_excludedAddresses) {
+                  params.allowAddrs.append(net.toUtf8());
+              }
          }
-        } else {
+      } else {
          params.blockNets = true;
          foreach (auto net, config.m_allowedIPAddressRanges) {
-            params.blockAddrs.append(net.toString());
+              params.blockAddrs.append(net.toString());
          }
-        }
-        applyFirewallRules(params);
      }
+      applyFirewallRules(params);
+    }
  }
  return (err == 0);
 }
--- a/client/platforms/windows/daemon/windowsfirewall.cpp
+++ b/client/platforms/windows/daemon/windowsfirewall.cpp
@ -291,15 +291,32 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
                      "Block Internet", config.m_serverPublicKey)) {
    return false;
  }
-  if (!config.m_dnsServer.isEmpty()) {
-    if (!allowTrafficTo(QHostAddress(config.m_dnsServer), 53, HIGH_WEIGHT,
+  if (!config.m_primaryDnsServer.isEmpty()) {
+    if (!allowTrafficTo(QHostAddress(config.m_primaryDnsServer), 53, HIGH_WEIGHT,
                        "Allow DNS-Server", config.m_serverPublicKey)) {
      return false;
    }
    // In some cases, we might configure a 2nd DNS server for IPv6, however
    // this should probably be cleaned up by converting m_dnsServer into
    // a QStringList instead.
-    if (config.m_dnsServer == config.m_serverIpv4Gateway) {
+    if (config.m_primaryDnsServer == config.m_serverIpv4Gateway) {
+      if (!allowTrafficTo(QHostAddress(config.m_serverIpv6Gateway), 53,
+                          HIGH_WEIGHT, "Allow extra IPv6 DNS-Server",
+                          config.m_serverPublicKey)) {
+        return false;
+      }
+    }
+  }
+
+  if (!config.m_secondaryDnsServer.isEmpty()) {
+    if (!allowTrafficTo(QHostAddress(config.m_secondaryDnsServer), 53, HIGH_WEIGHT,
+                        "Allow DNS-Server", config.m_serverPublicKey)) {
+      return false;
+    }
+    // In some cases, we might configure a 2nd DNS server for IPv6, however
+    // this should probably be cleaned up by converting m_dnsServer into
+    // a QStringList instead.
+    if (config.m_secondaryDnsServer == config.m_serverIpv4Gateway) {
      if (!allowTrafficTo(QHostAddress(config.m_serverIpv6Gateway), 53,
                          HIGH_WEIGHT, "Allow extra IPv6 DNS-Server",
                          config.m_serverPublicKey)) {