Restrain DNS servers according to protocol

- Cleartext: pick any available - HTTPS/TLS: only pick local servers, secure DNS may NEVER come from VPN server Require for TLS, not for HTTPS (not even sure about their need).
2021-01-26 11:12:16 +01:00 · 2021-01-26 11:12:16 +01:00 · 790ec276db
parent 3abb7cbccc
commit 790ec276db
1 changed files with 11 additions and 4 deletions
--- a/TunnelKit/Sources/Protocols/OpenVPN/AppExtension/OpenVPNTunnelProvider.swift
+++ b/TunnelKit/Sources/Protocols/OpenVPN/AppExtension/OpenVPNTunnelProvider.swift
@ -682,28 +682,34 @@ extension OpenVPNTunnelProvider: OpenVPNSessionDelegate {
            return
        }
        
-        let dnsServers = cfg.sessionConfiguration.dnsServers ?? options.dnsServers ?? []
-
+        var dnsServers: [String] = []
        var dnsSettings: NEDNSSettings?
        if #available(iOS 14, macOS 11, *) {
            switch cfg.sessionConfiguration.dnsProtocol {
            case .https:
+                dnsServers = cfg.sessionConfiguration.dnsServers ?? []
                guard let serverURL = cfg.sessionConfiguration.dnsHTTPSURL else {
                    break
                }
                let specific = NEDNSOverHTTPSSettings(servers: dnsServers)
                specific.serverURL = serverURL
                dnsSettings = specific
-                log.info("DNS: Using HTTPS server \(serverURL.maskedDescription)")
+                log.info("DNS over HTTPS: Using servers \(dnsServers.maskedDescription)")
+                log.info("\tHTTPS URL: \(serverURL.maskedDescription)")

            case .tls:
+                guard let dnsServers = cfg.sessionConfiguration.dnsServers else {
+                    session?.shutdown(error: ProviderError.dnsFailure)
+                    return
+                }
                guard let serverName = cfg.sessionConfiguration.dnsTLSServerName else {
                    break
                }
                let specific = NEDNSOverTLSSettings(servers: dnsServers)
                specific.serverName = serverName
                dnsSettings = specific
-                log.info("DNS: Using TLS server name \(serverName.maskedDescription)")
+                log.info("DNS over TLS: Using servers \(dnsServers.maskedDescription)")
+                log.info("\tTLS server name: \(serverName.maskedDescription)")

            default:
                break
@ -712,6 +718,7 @@ extension OpenVPNTunnelProvider: OpenVPNSessionDelegate {

        // fall back
        if dnsSettings == nil {
+            dnsServers = cfg.sessionConfiguration.dnsServers ?? options.dnsServers ?? []
            if !dnsServers.isEmpty {
                log.info("DNS: Using servers \(dnsServers.maskedDescription)")
                dnsSettings = NEDNSSettings(servers: dnsServers)