Do not config resolver needlessly

author: David Lönnhager <david.l@mullvad.net> 2025-05-12 17:12:54 +0200
committer: Joakim Hulthe <joakim.hulthe@mullvad.net> 2025-05-14 18:00:32 +0200
commit: 894271698bc72286fefc8c6a8dcadc644d7a4bfe (patch)
tree: 8dd76940fa3bc254d2a93d73a87f16937dc12b48
parent: cb28ff3100a15ff07e5af9c27f8ad9f92fa19886 (diff)
download: mullvadvpn-894271698bc72286fefc8c6a8dcadc644d7a4bfe.tar.xz
mullvadvpn-894271698bc72286fefc8c6a8dcadc644d7a4bfe.zip
2 files changed, 39 insertions, 16 deletions
diff --git a/talpid-core/src/tunnel_state_machine/connected_state.rs b/talpid-core/src/tunnel_state_machine/connected_state.rs
index 8dfa6b33ae..3348f68603 100644
--- a/talpid-core/src/tunnel_state_machine/connected_state.rs
+++ b/talpid-core/src/tunnel_state_machine/connected_state.rs
@@ -6,10 +6,10 @@ use talpid_types::net::{AllowedClients, AllowedEndpoint, TunnelParameters};
 use talpid_types::tunnel::{ErrorStateCause, FirewallPolicyError};
 use talpid_types::{BoxedError, ErrorExt};
 
-#[cfg(target_os = "macos")]
-use crate::dns::DnsConfig;
 use crate::dns::ResolvedDnsConfig;
 use crate::firewall::FirewallPolicy;
+#[cfg(target_os = "macos")]
+use crate::resolver::LOCAL_DNS_RESOLVER;
 #[cfg(windows)]
 use crate::tunnel::TunnelMonitor;
 use crate::tunnel::{TunnelEvent, TunnelMetadata};
@@ -162,9 +162,16 @@ impl ConnectedState {
             .set(&self.metadata.interface, dns_config)
             .map_err(BoxedError::new)?;
 
-        // On macOS, configure only the local DNS resolver
         #[cfg(target_os = "macos")]
-        {
+        // We do not want to forward DNS queries to *our* local resolver if we do not run a local
+        // DNS resolver.
+        if !*LOCAL_DNS_RESOLVER {
+            log::debug!("Not enabling local DNS resolver");
+            shared_values
+                .dns_monitor
+                .set(&self.metadata.interface, dns_config)
+                .map_err(BoxedError::new)?;
+        } else {
             log::debug!("Enabling local DNS resolver");
             // Tell local DNS resolver to start forwarding DNS queries to whatever `dns_config`
             // specifies as DNS.
@@ -173,15 +180,6 @@ impl ConnectedState {
                     .filtering_resolver
                     .enable_forward(dns_config.addresses().collect()),
             );
-            // Set system DNS to our local DNS resolver
-            let system_dns = DnsConfig::default().resolve(
-                &[shared_values.filtering_resolver.listening_addr().ip()],
-                shared_values.filtering_resolver.listening_addr().port(),
-            );
-            shared_values
-                .dns_monitor
-                .set("lo", system_dns)
-                .map_err(BoxedError::new)?;
         }
 
         Ok(())
@@ -195,9 +193,15 @@ impl ConnectedState {
 
         // On macOS, configure only the local DNS resolver
         #[cfg(target_os = "macos")]
-        shared_values
-            .runtime
-            .block_on(shared_values.filtering_resolver.disable_forward());
+        if !*LOCAL_DNS_RESOLVER {
+            if let Err(error) = shared_values.dns_monitor.reset_before_interface_removal() {
+                log::error!("{}", error.display_chain_with_msg("Unable to reset DNS"));
+            }
+        } else {
+            shared_values
+                .runtime
+                .block_on(shared_values.filtering_resolver.disable_forward());
+        }
     }
 
     fn reset_routes(
diff --git a/talpid-core/src/tunnel_state_machine/error_state.rs b/talpid-core/src/tunnel_state_machine/error_state.rs
index 75afad4478..ca280b9584 100644
--- a/talpid-core/src/tunnel_state_machine/error_state.rs
+++ b/talpid-core/src/tunnel_state_machine/error_state.rs
@@ -6,6 +6,8 @@ use super::{
 use crate::dns::DnsConfig;
 #[cfg(not(target_os = "android"))]
 use crate::firewall::FirewallPolicy;
+#[cfg(target_os = "macos")]
+use crate::resolver::LOCAL_DNS_RESOLVER;
 use futures::StreamExt;
 use talpid_types::{
     tunnel::{ErrorStateCause, FirewallPolicyError},
@@ -185,13 +187,30 @@ impl TunnelState for ErrorState {
                 if !connectivity.is_offline()
                     && matches!(self.block_reason, ErrorStateCause::IsOffline)
                 {
+                    #[cfg(target_os = "macos")]
+                    if !*LOCAL_DNS_RESOLVER {
+                        // This is probably unnecessary, since DNS is already configured on the
+                        // primary interface.
+                        Self::reset_dns(shared_values);
+                    }
+
+                    #[cfg(not(target_os = "macos"))]
                     Self::reset_dns(shared_values);
+
                     NewState(ConnectingState::enter(shared_values, 0))
                 } else {
                     SameState(self)
                 }
             }
             Some(TunnelCommand::Connect) => {
+                #[cfg(target_os = "macos")]
+                if !*LOCAL_DNS_RESOLVER {
+                    // This is probably unnecessary, since DNS is already configured on the
+                    // primary interface.
+                    Self::reset_dns(shared_values);
+                }
+
+                #[cfg(not(target_os = "macos"))]
                 Self::reset_dns(shared_values);
 
                 NewState(ConnectingState::enter(shared_values, 0))
author	David Lönnhager <david.l@mullvad.net>	2025-05-12 17:12:54 +0200
committer	Joakim Hulthe <joakim.hulthe@mullvad.net>	2025-05-14 18:00:32 +0200
commit	894271698bc72286fefc8c6a8dcadc644d7a4bfe (patch)
tree	8dd76940fa3bc254d2a93d73a87f16937dc12b48
parent	cb28ff3100a15ff07e5af9c27f8ad9f92fa19886 (diff)
download	mullvadvpn-894271698bc72286fefc8c6a8dcadc644d7a4bfe.tar.xz mullvadvpn-894271698bc72286fefc8c6a8dcadc644d7a4bfe.zip