Merge branch 'dns-update'

author: David Lönnhager <david.l@mullvad.net> 2020-02-13 09:53:08 +0100
committer: David Lönnhager <david.l@mullvad.net> 2020-02-13 09:53:08 +0100
commit: 6ab2a7767bc3e8ed63f436e93ec8b2eda5205752 (patch)
tree: 6c2ba16503a9489245d61169bc1cd7b10edf4734
parent: 2dfd3c06693dbf1ff85b4ea05e5557dac98f046b (diff)
parent: 0d4711dfab4b72047937cbd8604a897ef6682b8d (diff)
download: mullvadvpn-6ab2a7767bc3e8ed63f436e93ec8b2eda5205752.tar.xz
mullvadvpn-6ab2a7767bc3e8ed63f436e93ec8b2eda5205752.zip
13 files changed, 250 insertions, 201 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f6f429bf02..a66346c576 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -57,6 +57,10 @@ Line wrap the file at 100 chars.                                              Th
   states: While connecting, when blocked due to an error happening and when disconnected if the
   "block when disconnected" setting was enabled.
 
+  #### Windows
+- Prevent DNS leak that happened if "Local network sharing" was enabled and the device had a
+  default DNS on the local private network.
+
 
 ## [2020.1] - 2020-02-10
 This release is identical to 2020.1-beta1
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index ed1d204560..609f097336 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -10,11 +10,11 @@
 #include "rules/permitlan.h"
 #include "rules/permitlanservice.h"
 #include "rules/permitloopback.h"
-#include "rules/permittunneldns.h"
 #include "rules/permitvpnrelay.h"
 #include "rules/permitvpntunnel.h"
 #include "rules/permitvpntunnelservice.h"
 #include "rules/permitping.h"
+#include "rules/restrictdns.h"
 #include <libwfp/transaction.h>
 #include <libwfp/filterengine.h>
 #include <libcommon/error.h>
@@ -53,10 +53,11 @@ void AppendSettingsRules(FwContext::Ruleset &ruleset, const WinFwSettings &setti
 	}
 }
 
-void AppendNetBlockedRules(FwContext::Ruleset &ruleset)
+void AppendNetBlockedRules(FwContext::Ruleset &ruleset, const std::optional<WinFwRelay> &relay, const std::optional<rules::RestrictDns::DnsHosts> &dnsHosts)
 {
 	ruleset.emplace_back(std::make_unique<rules::BlockAll>());
 	ruleset.emplace_back(std::make_unique<rules::PermitLoopback>());
+	ruleset.emplace_back(std::make_unique<rules::RestrictDns>(relay, dnsHosts));
 }
 
 } // anonymous namespace
@@ -108,7 +109,7 @@ bool FwContext::applyPolicyConnecting
 {
 	Ruleset ruleset;
 
-	AppendNetBlockedRules(ruleset);
+	AppendNetBlockedRules(ruleset, relay, std::nullopt);
 	AppendSettingsRules(ruleset, settings);
 
 	ruleset.emplace_back(std::make_unique<rules::PermitVpnRelay>(
@@ -140,14 +141,20 @@ bool FwContext::applyPolicyConnected
 (
 	const WinFwSettings &settings,
 	const WinFwRelay &relay,
-	const wchar_t *tunnelInterfaceAlias,
-	const wchar_t *v4DnsHost,
-	const wchar_t *v6DnsHost
+	const std::wstring &tunnelInterfaceAlias,
+	const wfp::IpAddress &v4DnsHost,
+	const std::optional<wfp::IpAddress> &v6DnsHost
 )
 {
 	Ruleset ruleset;
 
-	AppendNetBlockedRules(ruleset);
+	rules::RestrictDns::DnsHosts dnsHosts =
+	{
+		tunnelInterfaceAlias,
+		v4DnsHost,
+		v6DnsHost
+	};
+	AppendNetBlockedRules(ruleset, relay, dnsHosts);
 	AppendSettingsRules(ruleset, settings);
 
 	ruleset.emplace_back(std::make_unique<rules::PermitVpnRelay>(
@@ -164,19 +171,6 @@ bool FwContext::applyPolicyConnected
 		tunnelInterfaceAlias
 	));
 
-	std::vector<wfp::IpAddress> dnsHosts;
-	dnsHosts.push_back(wfp::IpAddress(v4DnsHost));
-
-	if (nullptr != v6DnsHost)
-	{
-		dnsHosts.push_back(wfp::IpAddress(v6DnsHost));
-	}
-
-	ruleset.emplace_back(std::make_unique<rules::PermitTunnelDns>(
-		tunnelInterfaceAlias,
-		dnsHosts
-	));
-
 	return applyRuleset(ruleset);
 }
 
@@ -197,7 +191,7 @@ FwContext::Ruleset FwContext::composePolicyBlocked(const WinFwSettings &settings
 {
 	Ruleset ruleset;
 
-	AppendNetBlockedRules(ruleset);
+	AppendNetBlockedRules(ruleset, std::nullopt, std::nullopt);
 	AppendSettingsRules(ruleset, settings);
 
 	return ruleset;
diff --git a/windows/winfw/src/winfw/fwcontext.h b/windows/winfw/src/winfw/fwcontext.h
index 9d5b34c51b..552b075869 100644
--- a/windows/winfw/src/winfw/fwcontext.h
+++ b/windows/winfw/src/winfw/fwcontext.h
@@ -35,9 +35,9 @@ public:
 	(
 		const WinFwSettings &settings,
 		const WinFwRelay &relay,
-		const wchar_t *tunnelInterfaceAlias,
-		const wchar_t *v4DnsHost,
-		const wchar_t *v6DnsHost
+		const std::wstring &tunnelInterfaceAlias,
+		const wfp::IpAddress &v4DnsHost,
+		const std::optional<wfp::IpAddress> &v6DnsHost
 	);
 	bool applyPolicyBlocked(const WinFwSettings &settings);
 
diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index ef27e4823c..e73fac26ed 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -50,8 +50,10 @@ DetailedWfpObjectRegistry MullvadGuids::BuildDetailedRegistry()
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnRelay()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnel_Outbound_Ipv4()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnel_Outbound_Ipv6()));
-	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitTunnelDns_Ipv4()));
-	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitTunnelDns_Ipv6()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Ipv4()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Tunnel_Ipv4()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Ipv6()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, FilterRestrictDns_Outbound_Tunnel_Ipv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnelService_Ipv4()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitVpnTunnelService_Ipv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, FilterPermitNdp_Outbound_Router_Solicitation()));
@@ -443,28 +445,56 @@ const GUID &MullvadGuids::FilterPermitVpnTunnel_Outbound_Ipv6()
 }
 
 //static
-const GUID &MullvadGuids::FilterPermitTunnelDns_Ipv4()
+const GUID &MullvadGuids::FilterRestrictDns_Outbound_Ipv4()
 {
 	static const GUID g =
 	{
-		0x60474363,
-		0x42b7,
-		0x44ad,
-		{ 0xa6, 0xdb, 0x9c, 0x4a, 0x4d, 0x3c, 0xde, 0x4a }
+		0xc0792b44,
+		0xfc3c,
+		0x42e8,
+		{ 0xa6, 0x60, 0x25, 0x4b, 0xd0, 0x4, 0xb1, 0x9d }
 	};
 
 	return g;
 }
 
 //static
-const GUID &MullvadGuids::FilterPermitTunnelDns_Ipv6()
+const GUID &MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4()
 {
 	static const GUID g =
 	{
-		0xa832ce1d,
-		0xa250,
-		0x42be,
-		{ 0x8b, 0x97, 0x2, 0xb7, 0x9f, 0x9c, 0x5e, 0x1 }
+		0x790445dc,
+		0xb23e,
+		0x4ab4,
+		{ 0x8e, 0x2f, 0xc7, 0x6, 0x55, 0x5f, 0x94, 0xff }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::FilterRestrictDns_Outbound_Ipv6()
+{
+	static const GUID g =
+	{
+		0xcde477eb,
+		0x2d8a,
+		0x45b8,
+		{ 0x9a, 0x3e, 0x9a, 0xa3, 0xbe, 0x4d, 0xe2, 0xb4 }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv6()
+{
+	static const GUID g =
+	{
+		0xacc90d87,
+		0xab77,
+		0x4cf4,
+		{ 0x84, 0xee, 0x1d, 0x68, 0x95, 0xf0, 0x66, 0xc2 }
 	};
 
 	return g;
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index 8a32c1c9df..3c3ca9702b 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -56,8 +56,10 @@ public:
 	static const GUID &FilterPermitVpnTunnel_Outbound_Ipv4();
 	static const GUID &FilterPermitVpnTunnel_Outbound_Ipv6();
 
-	static const GUID &FilterPermitTunnelDns_Ipv4();
-	static const GUID &FilterPermitTunnelDns_Ipv6();
+	static const GUID &FilterRestrictDns_Outbound_Ipv4();
+	static const GUID &FilterRestrictDns_Outbound_Tunnel_Ipv4();
+	static const GUID &FilterRestrictDns_Outbound_Ipv6();
+	static const GUID &FilterRestrictDns_Outbound_Tunnel_Ipv6();
 
 	static const GUID &FilterPermitVpnTunnelService_Ipv4();
 	static const GUID &FilterPermitVpnTunnelService_Ipv6();
diff --git a/windows/winfw/src/winfw/rules/permittunneldns.cpp b/windows/winfw/src/winfw/rules/permittunneldns.cpp
deleted file mode 100644
index 57c1d39763..0000000000
--- a/windows/winfw/src/winfw/rules/permittunneldns.cpp
+++ /dev/null
@@ -1,115 +0,0 @@
-#include "stdafx.h"
-#include "permittunneldns.h"
-#include "winfw/mullvadguids.h"
-#include "libwfp/filterbuilder.h"
-#include "libwfp/conditionbuilder.h"
-#include "libwfp/conditions/comparison.h"
-#include "libwfp/conditions/conditioninterface.h"
-#include "libwfp/conditions/conditionip.h"
-#include "libwfp/conditions/conditionport.h"
-
-using namespace wfp::conditions;
-
-namespace
-{
-
-constexpr uint16_t DNS_PORT = 53;
-
-} // anonymous namespace
-
-namespace rules
-{
-
-PermitTunnelDns::PermitTunnelDns(
-	const std::wstring &tunnelInterfaceAlias,
-	const std::vector<wfp::IpAddress> &dnsHosts
-)
-	: m_tunnelInterfaceAlias(tunnelInterfaceAlias)
-{
-	for (const auto &host : dnsHosts)
-	{
-		if (wfp::IpAddress::Ipv4 == host.type())
-		{
-			m_v4DnsHosts.push_back(host);
-		}
-		else
-		{
-			m_v6DnsHosts.push_back(host);
-		}
-	}
-}
-
-bool PermitTunnelDns::apply(IObjectInstaller &objectInstaller)
-{
-	//
-	// Permit outbound DNS traffic to specific servers (IPv4)
-	//
-
-	wfp::FilterBuilder filterBuilder;
-
-	filterBuilder
-		.provider(MullvadGuids::Provider())
-		.description(L"This filter is part of a rule that permits DNS traffic inside the VPN tunnel")
-		.sublayer(MullvadGuids::SublayerWhitelist())
-		.weight(wfp::FilterBuilder::WeightClass::Max)
-		.permit();
-
-	if (!m_v4DnsHosts.empty())
-	{
-		filterBuilder
-			.key(MullvadGuids::FilterPermitTunnelDns_Ipv4())
-			.name(L"Permit select outbound DNS traffic on tunnel interface (IPv4)")
-			.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
-		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-		conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
-
-		for (const auto &host : m_v4DnsHosts)
-		{
-			// Multiple conditions of same type are OR'ed
-			conditionBuilder.add_condition(ConditionIp::Remote(host));
-		}
-
-		conditionBuilder.add_condition(ConditionPort::Remote(DNS_PORT));
-
-		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
-		{
-			return false;
-		}
-	}
-
-	//
-	// Permit outbound DNS traffic to specific servers (IPv6)
-	//
-
-	if (!m_v6DnsHosts.empty())
-	{
-		filterBuilder
-			.key(MullvadGuids::FilterPermitTunnelDns_Ipv6())
-			.name(L"Permit select outbound DNS traffic on tunnel interface (IPv6)")
-			.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-
-		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-		conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
-
-		for (const auto &host : m_v6DnsHosts)
-		{
-			// Multiple conditions of same type are OR'ed
-			if (wfp::IpAddress::Ipv6 == host.type())
-			{
-				conditionBuilder.add_condition(ConditionIp::Remote(host));
-			}
-		}
-
-		conditionBuilder.add_condition(ConditionPort::Remote(DNS_PORT));
-
-		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
-		{
-			return false;
-		}
-	}
-
-	return true;
-}
-
-}
diff --git a/windows/winfw/src/winfw/rules/permittunneldns.h b/windows/winfw/src/winfw/rules/permittunneldns.h
deleted file mode 100644
index eec22b0924..0000000000
--- a/windows/winfw/src/winfw/rules/permittunneldns.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#pragma once
-
-#include "ifirewallrule.h"
-#include "libwfp/ipaddress.h"
-#include <string>
-#include <cstdint>
-
-namespace rules
-{
-
-class PermitTunnelDns : public IFirewallRule
-{
-public:
-
-	PermitTunnelDns(const std::wstring &tunnelInterfaceAlias, const std::vector<wfp::IpAddress> &dnsHosts);
-
-	bool apply(IObjectInstaller &objectInstaller) override;
-
-private:
-
-	const std::wstring m_tunnelInterfaceAlias;
-	std::vector<wfp::IpAddress> m_v4DnsHosts;
-	std::vector<wfp::IpAddress> m_v6DnsHosts;
-
-};
-
-}
diff --git a/windows/winfw/src/winfw/rules/permitvpntunnel.cpp b/windows/winfw/src/winfw/rules/permitvpntunnel.cpp
index a757f5e164..e21a99c04d 100644
--- a/windows/winfw/src/winfw/rules/permitvpntunnel.cpp
+++ b/windows/winfw/src/winfw/rules/permitvpntunnel.cpp
@@ -4,17 +4,9 @@
 #include "libwfp/filterbuilder.h"
 #include "libwfp/conditionbuilder.h"
 #include "libwfp/conditions/conditioninterface.h"
-#include "libwfp/conditions/conditionport.h"
 
 using namespace wfp::conditions;
 
-namespace
-{
-
-constexpr uint16_t DNS_PORT = 53;
-
-} // anonymous namespace
-
 namespace rules
 {
 
@@ -29,7 +21,6 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
 
 	//
 	// #1 permit locally-initiated traffic on tunnel interface, ipv4
-	//    except DNS requests
 	//
 
 	filterBuilder
@@ -46,7 +37,6 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
 		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
 
 		conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
-		conditionBuilder.add_condition(ConditionPort::Remote(DNS_PORT, CompareNeq()));
 
 		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
 		{
@@ -56,7 +46,6 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
 
 	//
 	// #2 permit locally-initiated traffic on tunnel interface, ipv6
-	//    except DNS requests
 	//
 
 	filterBuilder
@@ -67,7 +56,6 @@ bool PermitVpnTunnel::apply(IObjectInstaller &objectInstaller)
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
 	conditionBuilder.add_condition(ConditionInterface::Alias(m_tunnelInterfaceAlias));
-	conditionBuilder.add_condition(ConditionPort::Remote(DNS_PORT, CompareNeq()));
 
 	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
 }
diff --git a/windows/winfw/src/winfw/rules/restrictdns.cpp b/windows/winfw/src/winfw/rules/restrictdns.cpp
new file mode 100644
index 0000000000..751e278233
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/restrictdns.cpp
@@ -0,0 +1,132 @@
+#include "stdafx.h"
+#include "restrictdns.h"
+#include "winfw/mullvadguids.h"
+#include "libwfp/filterbuilder.h"
+#include "libwfp/conditionbuilder.h"
+#include "libwfp/conditions/conditioninterface.h"
+#include "libwfp/conditions/conditionip.h"
+#include "libwfp/conditions/conditionport.h"
+
+using namespace wfp::conditions;
+
+namespace rules
+{
+
+RestrictDns::RestrictDns(
+	const std::optional<WinFwRelay> &relay,
+	const std::optional<DnsHosts> &dnsHosts
+)
+	: m_dnsHosts(dnsHosts)
+{
+	if (relay.has_value() && 53 == relay->port)
+	{
+		m_allowHost = std::make_optional(wfp::IpAddress(relay->ip));
+	}
+}
+
+bool RestrictDns::apply(IObjectInstaller &objectInstaller)
+{
+	wfp::FilterBuilder filterBuilder;
+
+	//
+	// Requires that the following rules are in effect:
+	//
+	// BlockAll
+	// PermitVpnTunnel
+	//
+	// TODO: Have each rule specify requirements?
+	//
+
+	filterBuilder
+		.provider(MullvadGuids::Provider())
+		.description(L"This filter is part of a rule that restricts DNS traffic")
+		.sublayer(MullvadGuids::SublayerBlacklist());
+
+	if (m_dnsHosts.has_value())
+	{
+		filterBuilder
+			.key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv4())
+			.name(L"Restrict DNS requests inside the VPN tunnel (IPv4)")
+			.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
+			.weight(MAXUINT16)
+			.permit();
+
+		{
+			wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
+
+			conditionBuilder.add_condition(ConditionInterface::Alias(m_dnsHosts->tunnelInterfaceAlias, CompareEq()));
+			conditionBuilder.add_condition(ConditionIp::Remote(m_dnsHosts->v4DnsHost, CompareEq()));
+
+			if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+			{
+				return false;
+			}
+		}
+	}
+
+	filterBuilder
+		.key(MullvadGuids::FilterRestrictDns_Outbound_Ipv4())
+		.name(L"Block DNS requests outside the VPN tunnel (IPv4)")
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
+		.weight(MAXUINT16 - 1)
+		.block();
+
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
+		conditionBuilder.add_condition(ConditionPort::Remote(53));
+
+		//
+		// Allow DNS traffic over select host
+		//
+		if (m_allowHost.has_value())
+		{
+			conditionBuilder.add_condition(ConditionIp::Remote(*m_allowHost, CompareNeq()));
+		}
+
+		if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
+	//
+	// IPv6 also
+	//
+
+	if (m_dnsHosts.has_value() && m_dnsHosts->v6DnsHost.has_value())
+	{
+		filterBuilder
+			.key(MullvadGuids::FilterRestrictDns_Outbound_Tunnel_Ipv6())
+			.name(L"Restrict DNS requests inside the VPN tunnel (IPv6)")
+			.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6)
+			.weight(MAXUINT16)
+			.permit();
+
+		{
+			wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+			conditionBuilder.add_condition(ConditionInterface::Alias(m_dnsHosts->tunnelInterfaceAlias, CompareEq()));
+			conditionBuilder.add_condition(ConditionIp::Remote(*m_dnsHosts->v6DnsHost, CompareEq()));
+
+			if (!objectInstaller.addFilter(filterBuilder, conditionBuilder))
+			{
+				return false;
+			}
+		}
+	}
+
+	filterBuilder
+		.key(MullvadGuids::FilterRestrictDns_Outbound_Ipv6())
+		.name(L"Block DNS requests outside the VPN tunnel (IPv6)")
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6)
+		.weight(MAXUINT16 - 1)
+		.block();
+
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+		conditionBuilder.add_condition(ConditionPort::Remote(53));
+		return objectInstaller.addFilter(filterBuilder, conditionBuilder);
+	}
+}
+
+}
diff --git a/windows/winfw/src/winfw/rules/restrictdns.h b/windows/winfw/src/winfw/rules/restrictdns.h
new file mode 100644
index 0000000000..9cf0ad00a9
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/restrictdns.h
@@ -0,0 +1,35 @@
+#pragma once
+
+#include "ifirewallrule.h"
+#include "libwfp/ipaddress.h"
+#include "winfw/winfw.h"
+#include <optional>
+#include <string>
+#include <cstdint>
+
+namespace rules
+{
+
+class RestrictDns : public IFirewallRule
+{
+public:
+
+	struct DnsHosts
+	{
+		std::wstring tunnelInterfaceAlias;
+		wfp::IpAddress v4DnsHost;
+		std::optional<wfp::IpAddress> v6DnsHost;
+	};
+
+	RestrictDns(const std::optional<WinFwRelay> &relay, const std::optional<DnsHosts> &dnsHosts);
+
+	bool apply(IObjectInstaller &objectInstaller) override;
+
+private:
+
+	std::optional<wfp::IpAddress> m_allowHost;
+	const std::optional<DnsHosts> m_dnsHosts;
+
+};
+
+}
diff --git a/windows/winfw/src/winfw/winfw.cpp b/windows/winfw/src/winfw/winfw.cpp
index bb79c2eff6..c053087355 100644
--- a/windows/winfw/src/winfw/winfw.cpp
+++ b/windows/winfw/src/winfw/winfw.cpp
@@ -205,7 +205,13 @@ WinFw_ApplyPolicyConnected(
 
 	try
 	{
-		return g_fwContext->applyPolicyConnected(settings, relay, tunnelInterfaceAlias, v4DnsHost, v6DnsHost);
+		return g_fwContext->applyPolicyConnected(
+			settings,
+			relay,
+			tunnelInterfaceAlias,
+			wfp::IpAddress(v4DnsHost),
+			nullptr != v6DnsHost ? std::make_optional(wfp::IpAddress(v6DnsHost)) : std::nullopt
+		);
 	}
 	catch (std::exception &err)
 	{
diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj
index 7b35c8b939..15da42ec0f 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj
+++ b/windows/winfw/src/winfw/winfw.vcxproj
@@ -23,7 +23,6 @@
     <ClCompile Include="mullvadguids.cpp" />
     <ClCompile Include="mullvadobjects.cpp" />
     <ClCompile Include="objectpurger.cpp" />
-    <ClCompile Include="rules\permittunneldns.cpp" />
     <ClCompile Include="rules\blockall.cpp" />
     <ClCompile Include="rules\permitdhcp.cpp" />
     <ClCompile Include="rules\permitdhcpserver.cpp" />
@@ -35,6 +34,7 @@
     <ClCompile Include="rules\permitvpntunnelservice.cpp" />
     <ClCompile Include="rules\permitvpnrelay.cpp" />
     <ClCompile Include="rules\permitvpntunnel.cpp" />
+    <ClCompile Include="rules\restrictdns.cpp" />
     <ClCompile Include="sessioncontroller.cpp" />
     <ClCompile Include="sessionrecord.cpp" />
     <ClCompile Include="stdafx.cpp">
@@ -52,7 +52,6 @@
     <ClInclude Include="mullvadguids.h" />
     <ClInclude Include="mullvadobjects.h" />
     <ClInclude Include="objectpurger.h" />
-    <ClInclude Include="rules\permittunneldns.h" />
     <ClInclude Include="rules\permitdhcpserver.h" />
     <ClInclude Include="rules\permitndp.h" />
     <ClInclude Include="rules\permitping.h" />
@@ -66,6 +65,7 @@
     <ClInclude Include="rules\permitvpntunnelservice.h" />
     <ClInclude Include="rules\permitvpnrelay.h" />
     <ClInclude Include="rules\permitvpntunnel.h" />
+    <ClInclude Include="rules\restrictdns.h" />
     <ClInclude Include="sessioncontroller.h" />
     <ClInclude Include="sessionrecord.h" />
     <ClInclude Include="stdafx.h" />
diff --git a/windows/winfw/src/winfw/winfw.vcxproj.filters b/windows/winfw/src/winfw/winfw.vcxproj.filters
index c491cb2a8d..a758a1c9ec 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj.filters
+++ b/windows/winfw/src/winfw/winfw.vcxproj.filters
@@ -30,6 +30,9 @@
       <Filter>rules</Filter>
     </ClCompile>
     <ClCompile Include="sessionrecord.cpp" />
+    <ClCompile Include="rules\restrictdns.cpp">
+      <Filter>rules</Filter>
+    </ClCompile>
     <ClCompile Include="rules\permitvpntunnelservice.cpp">
       <Filter>rules</Filter>
     </ClCompile>
@@ -43,9 +46,6 @@
     <ClCompile Include="rules\permitping.cpp">
       <Filter>rules</Filter>
     </ClCompile>
-    <ClCompile Include="rules\permittunneldns.cpp">
-      <Filter>rules</Filter>
-    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="stdafx.h" />
@@ -81,6 +81,9 @@
       <Filter>rules</Filter>
     </ClInclude>
     <ClInclude Include="sessionrecord.h" />
+    <ClInclude Include="rules\restrictdns.h">
+      <Filter>rules</Filter>
+    </ClInclude>
     <ClInclude Include="rules\permitvpntunnelservice.h">
       <Filter>rules</Filter>
     </ClInclude>
@@ -96,9 +99,6 @@
     <ClInclude Include="rules\permitping.h">
       <Filter>rules</Filter>
     </ClInclude>
-    <ClInclude Include="rules\permittunneldns.h">
-      <Filter>rules</Filter>
-    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Filter Include="rules">
author	David Lönnhager <david.l@mullvad.net>	2020-02-13 09:53:08 +0100
committer	David Lönnhager <david.l@mullvad.net>	2020-02-13 09:53:08 +0100
commit	6ab2a7767bc3e8ed63f436e93ec8b2eda5205752 (patch)
tree	6c2ba16503a9489245d61169bc1cd7b10edf4734
parent	2dfd3c06693dbf1ff85b4ea05e5557dac98f046b (diff)
parent	0d4711dfab4b72047937cbd8604a897ef6682b8d (diff)
download	mullvadvpn-6ab2a7767bc3e8ed63f436e93ec8b2eda5205752.tar.xz mullvadvpn-6ab2a7767bc3e8ed63f436e93ec8b2eda5205752.zip