From f5272168bc36c9c12e03a8dfb06458c340653db9 Mon Sep 17 00:00:00 2001
From: Mykola Baibuz <mykola.baibuz@gmail.com>
Date: Sun, 29 Dec 2024 23:07:06 +0200
Subject: [PATCH] Add allowed DNS list for killswitch

---
 client/daemon/interfaceconfig.h               |  1 +
 .../windows/daemon/windowsfirewall.cpp        |  8 ++++++
 client/protocols/protocols_defs.h             |  2 ++
 ipc/ipcserver.cpp                             | 27 ++++++++++++++++---
 4 files changed, 34 insertions(+), 4 deletions(-)

diff --git a/client/daemon/interfaceconfig.h b/client/daemon/interfaceconfig.h
index 6a816f87..3e1c08b9 100644
--- a/client/daemon/interfaceconfig.h
+++ b/client/daemon/interfaceconfig.h
@@ -37,6 +37,7 @@ class InterfaceConfig {
   QList<IPAddress> m_allowedIPAddressRanges;
   QStringList m_excludedAddresses;
   QStringList m_vpnDisabledApps;
+  QStringList m_allowedDnsServers;
   bool m_killSwitchEnabled;
 #if defined(MZ_ANDROID) || defined(MZ_IOS)
   QString m_installationId;
diff --git a/client/platforms/windows/daemon/windowsfirewall.cpp b/client/platforms/windows/daemon/windowsfirewall.cpp
index 3d45f228..23ee9cca 100644
--- a/client/platforms/windows/daemon/windowsfirewall.cpp
+++ b/client/platforms/windows/daemon/windowsfirewall.cpp
@@ -236,6 +236,14 @@ bool WindowsFirewall::enablePeerTraffic(const InterfaceConfig& config) {
     }
   }
 
+  for (const QString& dns : config.m_allowedDnsServers) {
+    logger.debug() << "Allow DNS: " << dns;
+    if (!allowTrafficTo(QHostAddress(dns), 53, HIGH_WEIGHT,
+                        "Allow DNS-Server", config.m_serverPublicKey)) {
+      return false;
+    }
+  }
+
   if (!config.m_excludedAddresses.empty()) {
     for (const QString& i : config.m_excludedAddresses) {
       logger.debug() << "range: " << i;
diff --git a/client/protocols/protocols_defs.h b/client/protocols/protocols_defs.h
index 865edae4..feeabb2f 100644
--- a/client/protocols/protocols_defs.h
+++ b/client/protocols/protocols_defs.h
@@ -95,6 +95,8 @@ namespace amnezia
         constexpr char splitTunnelApps[] = "splitTunnelApps";
         constexpr char appSplitTunnelType[] = "appSplitTunnelType";
 
+        constexpr char allowedDnsServers[] = "allowedDnsServers";
+
         constexpr char killSwitchOption[] = "killSwitchOption";
 
         constexpr char crc[] = "crc";
diff --git a/ipc/ipcserver.cpp b/ipc/ipcserver.cpp
index bb8a4182..4fd12a8a 100644
--- a/ipc/ipcserver.cpp
+++ b/ipc/ipcserver.cpp
@@ -244,6 +244,12 @@ bool IpcServer::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterInd
     dnsServers.append(configStr.value(amnezia::config_key::dns2).toString());
     dnsServers.append("127.0.0.1");
     dnsServers.append("127.0.0.53");
+    for (auto dns : configStr.value(amnezia::config_key::allowedDnsServers).toArray()) {
+        if (!dns.isString()) {
+            break;
+        }
+        dnsServers.append(dns.toString());
+    }
     LinuxFirewall::updateDNSServers(dnsServers);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::IPv4, QStringLiteral("320.allowDNS"), true);
     LinuxFirewall::setAnchorEnabled(LinuxFirewall::Both, QStringLiteral("400.allowPIA"), true);
@@ -272,6 +278,13 @@ bool IpcServer::enableKillSwitch(const QJsonObject &configStr, int vpnAdapterInd
     QStringList dnsServers;
     dnsServers.append(configStr.value(amnezia::config_key::dns1).toString());
     dnsServers.append(configStr.value(amnezia::config_key::dns2).toString());
+    for (auto dns : configStr.value(amnezia::config_key::allowedDnsServers).toArray()) {
+        if (!dns.isString()) {
+            break;
+        }
+        dnsServers.append(dns.toString());
+    }
+
     MacOSFirewall::setAnchorEnabled(QStringLiteral("310.blockDNS"), true);
     MacOSFirewall::setAnchorTable(QStringLiteral("310.blockDNS"), true, QStringLiteral("dnsaddr"), dnsServers);
 #endif
@@ -310,8 +323,6 @@ bool IpcServer::enablePeerTraffic(const QJsonObject &configStr)
     int splitTunnelType = configStr.value("splitTunnelType").toInt();
     QJsonArray splitTunnelSites = configStr.value("splitTunnelSites").toArray();
 
-    QStringList AllowedIPAddesses;
-
     // Use APP split tunnel
     if (splitTunnelType == 0 || splitTunnelType == 2) {
         config.m_allowedIPAddressRanges.append(IPAddress(QHostAddress("0.0.0.0"), 0));
@@ -338,11 +349,19 @@ bool IpcServer::enablePeerTraffic(const QJsonObject &configStr)
         }
     }
 
-    for (const QJsonValue &i : configStr.value(amnezia::config_key::splitTunnelApps).toArray()) {
-        if (!i.isString()) {
+    for (auto app : configStr.value(amnezia::config_key::splitTunnelApps).toArray()) {
+        if (!app.isString()) {
+            break;
+        }
+        config.m_vpnDisabledApps.append(app.toString());
+    }
+
+    for (auto dns : configStr.value(amnezia::config_key::allowedDnsServers).toArray()) {
+        if (!dns.isString()) {
             break;
         }
         config.m_vpnDisabledApps.append(i.toString());
+        config.m_allowedDnsServers.append(dns.toString());
     }
 
     // killSwitch toggle