Add allowed DNS list for killswitch

client/daemon/interfaceconfig.h

@@ -37,6 +37,7 @@ class InterfaceConfig {
   QList<IPAddress> m_allowedIPAddressRanges;
   QStringList m_excludedAddresses;
   QStringList m_vpnDisabledApps;
+  QStringList m_allowedDnsServers;
   bool m_killSwitchEnabled;
 #if defined(MZ_ANDROID) || defined(MZ_IOS)
   QString m_installationId;

client/platforms/windows/daemon/windowsfirewall.cpp

@@ -236,6 +236,14 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
     }
   }
 
+  for (const QString& dns : config.m_allowedDnsServers) {
+    logger.debug() << "Allow DNS: " << dns;
+    if (!allowTrafficTo(QHostAddress(dns), 53, HIGH_WEIGHT,
+                        "Allow DNS-Server", config.m_serverPublicKey)) {
+      return false;
+    }
+  }
+
   if (!config.m_excludedAddresses.empty()) {
     for (const QString& i : config.m_excludedAddresses) {
       logger.debug() << "range: " << i;

client/protocols/protocols_defs.h

@@ -95,6 +95,8 @@ namespace amnezia
         constexpr char splitTunnelApps[] = "splitTunnelApps";
         constexpr char appSplitTunnelType[] = "appSplitTunnelType";
 
+        constexpr char allowedDnsServers[] = "allowedDnsServers";
+
         constexpr char killSwitchOption[] = "killSwitchOption";
 
         constexpr char crc[] = "crc";

ipc/ipcserver.cpp

@@ -244,6 +244,12 @@ bool IpcServer::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterInd
     dnsServers.append(configStr.value(amnezia::config_key::dns2).toString());
     dnsServers.append("127.0.0.1");
     dnsServers.append("127.0.0.53");
+    for (auto dns : configStr.value(amnezia::config_key::allowedDnsServers).toArray()) {
+        if (!dns.isString()) {
+            break;
+        }
+        dnsServers.append(dns.toString());
+    }
     LinuxFirewall::updateDNSServers(dnsServers);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("320.allowDNS"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("400.allowPIA"), true);
@@ -272,6 +278,13 @@ bool IpcServer::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterInd
     QStringList dnsServers;
     dnsServers.append(configStr.value(amnezia::config_key::dns1).toString());
     dnsServers.append(configStr.value(amnezia::config_key::dns2).toString());
+    for (auto dns : configStr.value(amnezia::config_key::allowedDnsServers).toArray()) {
+        if (!dns.isString()) {
+            break;
+        }
+        dnsServers.append(dns.toString());
+    }
+
     MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
     MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), dnsServers);
 #endif
@@ -310,8 +323,6 @@ bool IpcServer::enablePeerTraffic(const QJsonObject &configStr)
     int splitTunnelType = configStr.value("splitTunnelType").toInt();
     QJsonArray splitTunnelSites = configStr.value("splitTunnelSites").toArray();
 
-    QStringList AllowedIPAddesses;
-
     // Use APP split tunnel
     if (splitTunnelType == 0 || splitTunnelType == 2) {
         config.m_allowedIPAddressRanges.append(IPAddress(QHostAddress("0.0.0.0"), 0));
@@ -338,11 +349,19 @@ bool IpcServer::enablePeerTraffic(const QJsonObject &configStr)
         }
     }
 
-    for (const QJsonValue &i : configStr.value(amnezia::config_key::splitTunnelApps).toArray()) {
-        if (!i.isString()) {
+    for (auto app : configStr.value(amnezia::config_key::splitTunnelApps).toArray()) {
+        if (!app.isString()) {
+            break;
+        }
+        config.m_vpnDisabledApps.append(app.toString());
+    }
+
+    for (auto dns : configStr.value(amnezia::config_key::allowedDnsServers).toArray()) {
+        if (!dns.isString()) {
             break;
         }
         config.m_vpnDisabledApps.append(i.toString());
+        config.m_allowedDnsServers.append(dns.toString());
     }
 
     // killSwitch toggle