1 files changed, 26 insertions, 10 deletions

diff --git a/mullvad-daemon/src/lib.rs b/mullvad-daemon/src/lib.rs
index 1703344007..57b2c9d890 100644
--- a/mullvad-daemon/src/lib.rs
+++ b/mullvad-daemon/src/lib.rs
@@ -89,9 +89,13 @@ const FIRST_KEY_PUSH_TIMEOUT: Duration = Duration::from_secs(5);
 /// Delay between generating a new WireGuard key and reconnecting
 const WG_RECONNECT_DELAY: Duration = Duration::from_secs(4 * 60);
 
-const DNS_AD_BLOCKING_SERVERS: [IpAddr; 1] = [IpAddr::V4(Ipv4Addr::new(100, 64, 0, 1))];
-const DNS_TRACKER_BLOCKING_SERVERS: [IpAddr; 1] = [IpAddr::V4(Ipv4Addr::new(100, 64, 0, 2))];
-const DNS_AD_TRACKER_BLOCKING_SERVERS: [IpAddr; 1] = [IpAddr::V4(Ipv4Addr::new(100, 64, 0, 3))];
+/// When we want to block certain contents with the help of DNS server side,
+/// we compute the resolver IP to use based on these constants. The last
+/// byte can be ORed together to combine multiple block lists.
+const DNS_BLOCKING_IP_BASE: Ipv4Addr = Ipv4Addr::new(100, 64, 0, 0);
+const DNS_AD_BLOCKING_IP_BIT: u8 = 0b001;
+const DNS_TRACKER_BLOCKING_IP_BIT: u8 = 0b010;
+const DNS_MALWARE_BLOCKING_IP_BIT: u8 = 0b100;
 
 pub type ResponseTx<T, E> = oneshot::Sender<Result<T, E>>;
 
@@ -815,17 +819,29 @@ where
         }
     }
 
+    /// Get which special DNS resolvers to use. Returns `None` when no special resolvers
+    /// are requested and the tunnel default gateway should be used.
     fn get_dns_resolvers(options: &DnsOptions) -> Option<Vec<IpAddr>> {
         match options.state {
             DnsState::Default => {
+                // Check if we should use a custom blocking DNS resolver.
+                // And if so, compute the IP.
+                let mut last_byte: u8 = 0;
+
                 if options.default_options.block_ads {
-                    if options.default_options.block_trackers {
-                        Some(DNS_AD_TRACKER_BLOCKING_SERVERS.to_vec())
-                    } else {
-                        Some(DNS_AD_BLOCKING_SERVERS.to_vec())
-                    }
-                } else if options.default_options.block_trackers {
-                    Some(DNS_TRACKER_BLOCKING_SERVERS.to_vec())
+                    last_byte |= DNS_AD_BLOCKING_IP_BIT;
+                }
+                if options.default_options.block_trackers {
+                    last_byte |= DNS_TRACKER_BLOCKING_IP_BIT;
+                }
+                if options.default_options.block_malware {
+                    last_byte |= DNS_MALWARE_BLOCKING_IP_BIT;
+                }
+
+                if last_byte != 0 {
+                    let mut dns_ip = DNS_BLOCKING_IP_BASE.octets();
+                    dns_ip[dns_ip.len() - 1] |= last_byte;
+                    Some(vec![IpAddr::V4(Ipv4Addr::from(dns_ip))])
                 } else {
                     None
                 }