Merge branch 'win-fw-relax-dns-sublayer-restriction'

9 files changed, 127 insertions, 2 deletions

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a838bd8608..595def98f1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -33,6 +33,11 @@ Line wrap the file at 100 chars.                                              Th
 #### Linux
 - Don't prevent early boot service from running if logging to a file fails.
 
+### Security
+#### Windows
+- DNS loopback traffic is no longer blocked. Note that local resolvers are still unable to forward
+  queries to servers that would normally be blocked.
+
 
 ## [2022.5-beta2] - 2022-10-05
 ### Added
diff --git a/windows/winfw/src/winfw/fwcontext.cpp b/windows/winfw/src/winfw/fwcontext.cpp
index b72cefe2d3..3a8b5d2fe5 100644
--- a/windows/winfw/src/winfw/fwcontext.cpp
+++ b/windows/winfw/src/winfw/fwcontext.cpp
@@ -16,6 +16,7 @@
 #include "rules/baseline/permitdns.h"
 #include "rules/baseline/permitendpoint.h"
 #include "rules/dns/blockall.h"
+#include "rules/dns/permitloopback.h"
 #include "rules/dns/permittunnel.h"
 #include "rules/dns/permitnontunnel.h"
 #include "rules/multi/permitvpnrelay.h"
@@ -69,6 +70,7 @@ void AppendSettingsRules
 	//
 
 	ruleset.emplace_back(std::make_unique<baseline::PermitDns>());
+	ruleset.emplace_back(std::make_unique<dns::PermitLoopback>());
 	ruleset.emplace_back(std::make_unique<dns::BlockAll>());
 }
 
diff --git a/windows/winfw/src/winfw/mullvadguids.cpp b/windows/winfw/src/winfw/mullvadguids.cpp
index 8a9de5fe0f..aeab958554 100644
--- a/windows/winfw/src/winfw/mullvadguids.cpp
+++ b/windows/winfw/src/winfw/mullvadguids.cpp
@@ -145,6 +145,8 @@ MullvadGuids::DetailedIdentityRegistry MullvadGuids::DetailedRegistry(IdentityQu
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Baseline_PermitDns_Outbound_Ipv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Dns_BlockAll_Outbound_Ipv4()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Dns_BlockAll_Outbound_Ipv6()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Dns_PermitLoopback_Outbound_Ipv4()));
+	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Dns_PermitLoopback_Outbound_Ipv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Dns_PermitNonTunnel_Outbound_Ipv4()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Dns_PermitNonTunnel_Outbound_Ipv6()));
 	registry.insert(std::make_pair(WfpObjectType::Filter, Filter_Dns_PermitTunnel_Outbound_Ipv4()));
@@ -925,3 +927,31 @@ const GUID &MullvadGuids::Filter_Dns_PermitTunnel_Outbound_Ipv6()
 
 	return g;
 }
+
+//static
+const GUID &MullvadGuids::Filter_Dns_PermitLoopback_Outbound_Ipv4()
+{
+	static const GUID g =
+	{
+		0x4e2bdc82,
+		0x292c,
+		0x4545,
+		{ 0xa5, 0xc4, 0x50, 0x25, 0x1c, 0x70, 0x2f, 0xcd }
+	};
+
+	return g;
+}
+
+//static
+const GUID &MullvadGuids::Filter_Dns_PermitLoopback_Outbound_Ipv6()
+{
+	static const GUID g =
+	{
+		0x7811263c,
+		0x3916,
+		0x428d,
+		{ 0xa5, 0x14, 0x2e, 0x43, 0x2, 0x1a, 0x73, 0x8a }
+	};
+
+	return g;
+}
diff --git a/windows/winfw/src/winfw/mullvadguids.h b/windows/winfw/src/winfw/mullvadguids.h
index ed064a9409..abd06dc102 100644
--- a/windows/winfw/src/winfw/mullvadguids.h
+++ b/windows/winfw/src/winfw/mullvadguids.h
@@ -94,6 +94,8 @@ public:
 	static const GUID &Filter_Dns_PermitNonTunnel_Outbound_Ipv6();
 	static const GUID &Filter_Dns_PermitTunnel_Outbound_Ipv4();
 	static const GUID &Filter_Dns_PermitTunnel_Outbound_Ipv6();
+	static const GUID &Filter_Dns_PermitLoopback_Outbound_Ipv4();
+	static const GUID &Filter_Dns_PermitLoopback_Outbound_Ipv6();
 
 	//
 	// Persistent and boot-time filters
diff --git a/windows/winfw/src/winfw/rules/dns/blockall.cpp b/windows/winfw/src/winfw/rules/dns/blockall.cpp
index 8324a5fdb2..f81dbc1947 100644
--- a/windows/winfw/src/winfw/rules/dns/blockall.cpp
+++ b/windows/winfw/src/winfw/rules/dns/blockall.cpp
@@ -30,7 +30,6 @@ bool BlockAll::apply(IObjectInstaller &objectInstaller)
 		.block();
 
 	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
-
 	conditionBuilder.add_condition(ConditionPort::Remote(DNS_SERVER_PORT));
 
 	if (false == objectInstaller.addFilter(filterBuilder, conditionBuilder))
@@ -48,7 +47,6 @@ bool BlockAll::apply(IObjectInstaller &objectInstaller)
 		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
 
 	conditionBuilder.reset(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
-
 	conditionBuilder.add_condition(ConditionPort::Remote(DNS_SERVER_PORT));
 
 	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
diff --git a/windows/winfw/src/winfw/rules/dns/permitloopback.cpp b/windows/winfw/src/winfw/rules/dns/permitloopback.cpp
new file mode 100644
index 0000000000..d9988e3608
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/dns/permitloopback.cpp
@@ -0,0 +1,62 @@
+#include "stdafx.h"
+#include "permitloopback.h"
+#include <winfw/mullvadguids.h>
+#include <winfw/rules/ports.h>
+#include <libwfp/filterbuilder.h>
+#include <libwfp/conditionbuilder.h>
+#include <libwfp/conditions/conditionloopback.h>
+#include <libwfp/conditions/conditionport.h>
+
+using namespace wfp::conditions;
+
+namespace rules::dns
+{
+
+bool PermitLoopback::apply(IObjectInstaller &objectInstaller)
+{
+	wfp::FilterBuilder filterBuilder;
+
+	//
+	// #1 Permit outbound connections, IPv4.
+	//
+
+	filterBuilder
+		.key(MullvadGuids::Filter_Dns_PermitLoopback_Outbound_Ipv4())
+		.name(L"Permit loopback DNS traffic (IPv4)")
+		.description(L"This filter is part of a rule that permits loopback DNS traffic")
+		.provider(MullvadGuids::Provider())
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V4)
+		.sublayer(MullvadGuids::SublayerDns())
+		.weight(wfp::FilterBuilder::WeightClass::Medium)
+		.permit();
+
+	{
+		wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V4);
+
+		conditionBuilder.add_condition(std::make_unique<ConditionLoopback>());
+		conditionBuilder.add_condition(ConditionPort::Remote(DNS_SERVER_PORT));
+
+		if (false == objectInstaller.addFilter(filterBuilder, conditionBuilder))
+		{
+			return false;
+		}
+	}
+
+	//
+	// #2 Permit outbound connections, IPv6.
+	//
+
+	filterBuilder
+		.key(MullvadGuids::Filter_Dns_PermitLoopback_Outbound_Ipv6())
+		.name(L"Permit loopback DNS traffic (IPv6)")
+		.layer(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+	wfp::ConditionBuilder conditionBuilder(FWPM_LAYER_ALE_AUTH_CONNECT_V6);
+
+	conditionBuilder.add_condition(std::make_unique<ConditionLoopback>());
+	conditionBuilder.add_condition(ConditionPort::Remote(DNS_SERVER_PORT));
+
+	return objectInstaller.addFilter(filterBuilder, conditionBuilder);
+}
+
+}
diff --git a/windows/winfw/src/winfw/rules/dns/permitloopback.h b/windows/winfw/src/winfw/rules/dns/permitloopback.h
new file mode 100644
index 0000000000..f15f16b63d
--- /dev/null
+++ b/windows/winfw/src/winfw/rules/dns/permitloopback.h
@@ -0,0 +1,18 @@
+#pragma once
+
+#include <winfw/rules/ifirewallrule.h>
+
+namespace rules::dns
+{
+
+class PermitLoopback : public IFirewallRule
+{
+public:
+
+	PermitLoopback() = default;
+	~PermitLoopback() = default;
+	
+	bool apply(IObjectInstaller &objectInstaller) override;
+};
+
+}
diff --git a/windows/winfw/src/winfw/winfw.vcxproj b/windows/winfw/src/winfw/winfw.vcxproj
index f13b019889..c251e21455 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj
+++ b/windows/winfw/src/winfw/winfw.vcxproj
@@ -35,6 +35,7 @@
     <ClCompile Include="rules\baseline\permitvpntunnel.cpp" />
     <ClCompile Include="rules\baseline\permitvpntunnelservice.cpp" />
     <ClCompile Include="rules\dns\blockall.cpp" />
+    <ClCompile Include="rules\dns\permitloopback.cpp" />
     <ClCompile Include="rules\dns\permitnontunnel.cpp" />
     <ClCompile Include="rules\dns\permittunnel.cpp" />
     <ClCompile Include="rules\multi\permitvpnrelay.cpp" />
@@ -69,6 +70,7 @@
     <ClInclude Include="rules\baseline\permitvpntunnel.h" />
     <ClInclude Include="rules\baseline\permitvpntunnelservice.h" />
     <ClInclude Include="rules\dns\blockall.h" />
+    <ClInclude Include="rules\dns\permitloopback.h" />
     <ClInclude Include="rules\dns\permitnontunnel.h" />
     <ClInclude Include="rules\dns\permittunnel.h" />
     <ClInclude Include="rules\multi\permitvpnrelay.h" />
diff --git a/windows/winfw/src/winfw/winfw.vcxproj.filters b/windows/winfw/src/winfw/winfw.vcxproj.filters
index 6d5a5507d5..daecbb03fb 100644
--- a/windows/winfw/src/winfw/winfw.vcxproj.filters
+++ b/windows/winfw/src/winfw/winfw.vcxproj.filters
@@ -61,6 +61,9 @@
     <ClCompile Include="rules\multi\permitvpnrelay.cpp">
       <Filter>rules\multi</Filter>
     </ClCompile>
+    <ClCompile Include="rules\dns\permitloopback.cpp">
+      <Filter>rules\dns</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="stdafx.h" />
@@ -132,6 +135,9 @@
     <ClInclude Include="rules\multi\permitvpnrelay.h">
       <Filter>rules\multi</Filter>
     </ClInclude>
+    <ClInclude Include="rules\dns\permitloopback.h">
+      <Filter>rules\dns</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <Filter Include="rules">