Add ability to block malware via server side DNS to daemon/CLI

author: Linus Färnstrand <faern@faern.net> 2022-01-10 15:53:52 +0100
committer: Linus Färnstrand <linus@mullvad.net> 2022-01-11 14:44:34 +0100
commit: b03b5d8cb1ba720cea3dc07bbbce95bd502e4f4d (patch)
tree: aee5d5bb03c2204ccca420c7e9af4d0fe33503b2
parent: 3d53d5ff7034b404bf58206f10d877b6cfd57d13 (diff)
download: mullvadvpn-b03b5d8cb1ba720cea3dc07bbbce95bd502e4f4d.tar.xz
mullvadvpn-b03b5d8cb1ba720cea3dc07bbbce95bd502e4f4d.zip
5 files changed, 45 insertions, 11 deletions
diff --git a/mullvad-cli/src/cmds/dns.rs b/mullvad-cli/src/cmds/dns.rs
index 9ffa0ec09c..91562ff798 100644
--- a/mullvad-cli/src/cmds/dns.rs
+++ b/mullvad-cli/src/cmds/dns.rs
@@ -36,6 +36,12 @@ impl Command for Dns {
                                     .long("block-trackers")
                                     .takes_value(false)
                                     .help("Block domain names used for tracking"),
+                            )
+                            .arg(
+                                clap::Arg::with_name("block malware")
+                                    .long("block-malware")
+                                    .takes_value(false)
+                                    .help("Block domains known to be used by malware"),
                             ),
                     )
                     .subcommand(
@@ -58,6 +64,7 @@ impl Command for Dns {
                     self.set_default(
                         matches.is_present("block ads"),
                         matches.is_present("block trackers"),
+                        matches.is_present("block malware"),
                     )
                     .await
                 }
@@ -73,7 +80,12 @@ impl Command for Dns {
 }
 
 impl Dns {
-    async fn set_default(&self, block_ads: bool, block_trackers: bool) -> Result<()> {
+    async fn set_default(
+        &self,
+        block_ads: bool,
+        block_trackers: bool,
+        block_malware: bool,
+    ) -> Result<()> {
         let mut rpc = new_rpc_client().await?;
         let settings = rpc.get_settings(()).await?.into_inner();
         rpc.set_dns_options(types::DnsOptions {
@@ -81,6 +93,7 @@ impl Dns {
             default_options: Some(types::DefaultDnsOptions {
                 block_ads,
                 block_trackers,
+                block_malware,
             }),
             ..settings.tunnel_options.unwrap().dns_options.unwrap()
         })
@@ -122,6 +135,7 @@ impl Dns {
                 println!("Custom DNS: no");
                 println!("Block ads: {}", options.default_options.block_ads);
                 println!("Block trackers: {}", options.default_options.block_trackers);
+                println!("Block malware: {}", options.default_options.block_malware);
             }
             DnsState::Custom => {
                 println!("Custom DNS: yes\nServers:");
diff --git a/mullvad-daemon/src/lib.rs b/mullvad-daemon/src/lib.rs
index 1703344007..57b2c9d890 100644
--- a/mullvad-daemon/src/lib.rs
+++ b/mullvad-daemon/src/lib.rs
@@ -89,9 +89,13 @@ const FIRST_KEY_PUSH_TIMEOUT: Duration = Duration::from_secs(5);
 /// Delay between generating a new WireGuard key and reconnecting
 const WG_RECONNECT_DELAY: Duration = Duration::from_secs(4 * 60);
 
-const DNS_AD_BLOCKING_SERVERS: [IpAddr; 1] = [IpAddr::V4(Ipv4Addr::new(100, 64, 0, 1))];
-const DNS_TRACKER_BLOCKING_SERVERS: [IpAddr; 1] = [IpAddr::V4(Ipv4Addr::new(100, 64, 0, 2))];
-const DNS_AD_TRACKER_BLOCKING_SERVERS: [IpAddr; 1] = [IpAddr::V4(Ipv4Addr::new(100, 64, 0, 3))];
+/// When we want to block certain contents with the help of DNS server side,
+/// we compute the resolver IP to use based on these constants. The last
+/// byte can be ORed together to combine multiple block lists.
+const DNS_BLOCKING_IP_BASE: Ipv4Addr = Ipv4Addr::new(100, 64, 0, 0);
+const DNS_AD_BLOCKING_IP_BIT: u8 = 0b001;
+const DNS_TRACKER_BLOCKING_IP_BIT: u8 = 0b010;
+const DNS_MALWARE_BLOCKING_IP_BIT: u8 = 0b100;
 
 pub type ResponseTx<T, E> = oneshot::Sender<Result<T, E>>;
 
@@ -815,17 +819,29 @@ where
         }
     }
 
+    /// Get which special DNS resolvers to use. Returns `None` when no special resolvers
+    /// are requested and the tunnel default gateway should be used.
     fn get_dns_resolvers(options: &DnsOptions) -> Option<Vec<IpAddr>> {
         match options.state {
             DnsState::Default => {
+                // Check if we should use a custom blocking DNS resolver.
+                // And if so, compute the IP.
+                let mut last_byte: u8 = 0;
+
                 if options.default_options.block_ads {
-                    if options.default_options.block_trackers {
-                        Some(DNS_AD_TRACKER_BLOCKING_SERVERS.to_vec())
-                    } else {
-                        Some(DNS_AD_BLOCKING_SERVERS.to_vec())
-                    }
-                } else if options.default_options.block_trackers {
-                    Some(DNS_TRACKER_BLOCKING_SERVERS.to_vec())
+                    last_byte |= DNS_AD_BLOCKING_IP_BIT;
+                }
+                if options.default_options.block_trackers {
+                    last_byte |= DNS_TRACKER_BLOCKING_IP_BIT;
+                }
+                if options.default_options.block_malware {
+                    last_byte |= DNS_MALWARE_BLOCKING_IP_BIT;
+                }
+
+                if last_byte != 0 {
+                    let mut dns_ip = DNS_BLOCKING_IP_BASE.octets();
+                    dns_ip[dns_ip.len() - 1] |= last_byte;
+                    Some(vec![IpAddr::V4(Ipv4Addr::from(dns_ip))])
                 } else {
                     None
                 }
diff --git a/mullvad-management-interface/proto/management_interface.proto b/mullvad-management-interface/proto/management_interface.proto
index 3c7c0fe2e1..82a00aaf5e 100644
--- a/mullvad-management-interface/proto/management_interface.proto
+++ b/mullvad-management-interface/proto/management_interface.proto
@@ -402,6 +402,7 @@ message TunnelOptions {
 message DefaultDnsOptions {
 	bool block_ads = 1;
 	bool block_trackers = 2;
+	bool block_malware = 3;
 }
 
 message CustomDnsOptions {
diff --git a/mullvad-management-interface/src/types.rs b/mullvad-management-interface/src/types.rs
index 43925d0b91..e8651c11e1 100644
--- a/mullvad-management-interface/src/types.rs
+++ b/mullvad-management-interface/src/types.rs
@@ -554,6 +554,7 @@ impl From<&mullvad_types::settings::DnsOptions> for DnsOptions {
             default_options: Some(DefaultDnsOptions {
                 block_ads: options.default_options.block_ads,
                 block_trackers: options.default_options.block_trackers,
+                block_malware: options.default_options.block_malware,
             }),
             custom_options: Some(CustomDnsOptions {
                 addresses: options
@@ -1283,6 +1284,7 @@ impl TryFrom<DnsOptions> for mullvad_types::settings::DnsOptions {
             default_options: MullvadDefaultDnsOptions {
                 block_ads: default_options.block_ads,
                 block_trackers: default_options.block_trackers,
+                block_malware: default_options.block_malware,
             },
             custom_options: MullvadCustomDnsOptions {
                 addresses: custom_options
diff --git a/mullvad-types/src/settings/mod.rs b/mullvad-types/src/settings/mod.rs
index 7a941d968f..6044c3ecd7 100644
--- a/mullvad-types/src/settings/mod.rs
+++ b/mullvad-types/src/settings/mod.rs
@@ -295,6 +295,7 @@ where
 pub struct DefaultDnsOptions {
     pub block_ads: bool,
     pub block_trackers: bool,
+    pub block_malware: bool,
 }
 
 /// Custom DNS config
author	Linus Färnstrand <faern@faern.net>	2022-01-10 15:53:52 +0100
committer	Linus Färnstrand <linus@mullvad.net>	2022-01-11 14:44:34 +0100
commit	b03b5d8cb1ba720cea3dc07bbbce95bd502e4f4d (patch)
tree	aee5d5bb03c2204ccca420c7e9af4d0fe33503b2
parent	3d53d5ff7034b404bf58206f10d877b6cfd57d13 (diff)
download	mullvadvpn-b03b5d8cb1ba720cea3dc07bbbce95bd502e4f4d.tar.xz mullvadvpn-b03b5d8cb1ba720cea3dc07bbbce95bd502e4f4d.zip