Restrain DNS servers according to protocol
- Cleartext: pick any available - HTTPS/TLS: only pick local servers, secure DNS may NEVER come from VPN server Require for TLS, not for HTTPS (not even sure about their need).
This commit is contained in:
Davide De Rosa
parent
3abb7cbccc
commit
790ec276db
@ -682,28 +682,34 @@ extension OpenVPNTunnelProvider: OpenVPNSessionDelegate {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
let dnsServers = cfg.sessionConfiguration.dnsServers ?? options.dnsServers ?? []
|
var dnsServers: [String] = []
|
||||||
|
|
||||||
var dnsSettings: NEDNSSettings?
|
var dnsSettings: NEDNSSettings?
|
||||||
if #available(iOS 14, macOS 11, *) {
|
if #available(iOS 14, macOS 11, *) {
|
||||||
switch cfg.sessionConfiguration.dnsProtocol {
|
switch cfg.sessionConfiguration.dnsProtocol {
|
||||||
case .https:
|
case .https:
|
||||||
|
dnsServers = cfg.sessionConfiguration.dnsServers ?? []
|
||||||
guard let serverURL = cfg.sessionConfiguration.dnsHTTPSURL else {
|
guard let serverURL = cfg.sessionConfiguration.dnsHTTPSURL else {
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
let specific = NEDNSOverHTTPSSettings(servers: dnsServers)
|
let specific = NEDNSOverHTTPSSettings(servers: dnsServers)
|
||||||
specific.serverURL = serverURL
|
specific.serverURL = serverURL
|
||||||
dnsSettings = specific
|
dnsSettings = specific
|
||||||
log.info("DNS: Using HTTPS server \(serverURL.maskedDescription)")
|
log.info("DNS over HTTPS: Using servers \(dnsServers.maskedDescription)")
|
||||||
|
log.info("\tHTTPS URL: \(serverURL.maskedDescription)")
|
||||||
|
|
||||||
case .tls:
|
case .tls:
|
||||||
|
guard let dnsServers = cfg.sessionConfiguration.dnsServers else {
|
||||||
|
session?.shutdown(error: ProviderError.dnsFailure)
|
||||||
|
return
|
||||||
|
}
|
||||||
guard let serverName = cfg.sessionConfiguration.dnsTLSServerName else {
|
guard let serverName = cfg.sessionConfiguration.dnsTLSServerName else {
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
let specific = NEDNSOverTLSSettings(servers: dnsServers)
|
let specific = NEDNSOverTLSSettings(servers: dnsServers)
|
||||||
specific.serverName = serverName
|
specific.serverName = serverName
|
||||||
dnsSettings = specific
|
dnsSettings = specific
|
||||||
log.info("DNS: Using TLS server name \(serverName.maskedDescription)")
|
log.info("DNS over TLS: Using servers \(dnsServers.maskedDescription)")
|
||||||
|
log.info("\tTLS server name: \(serverName.maskedDescription)")
|
||||||
|
|
||||||
default:
|
default:
|
||||||
break
|
break
|
||||||
@ -712,6 +718,7 @@ extension OpenVPNTunnelProvider: OpenVPNSessionDelegate {
|
|||||||
|
|
||||||
// fall back
|
// fall back
|
||||||
if dnsSettings == nil {
|
if dnsSettings == nil {
|
||||||
|
dnsServers = cfg.sessionConfiguration.dnsServers ?? options.dnsServers ?? []
|
||||||
if !dnsServers.isEmpty {
|
if !dnsServers.isEmpty {
|
||||||
log.info("DNS: Using servers \(dnsServers.maskedDescription)")
|
log.info("DNS: Using servers \(dnsServers.maskedDescription)")
|
||||||
dnsSettings = NEDNSSettings(servers: dnsServers)
|
dnsSettings = NEDNSSettings(servers: dnsServers)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user