Improve dns redirection for the self-check

2025-09-01 18:19:12 +00:00 · 2021-11-17 15:43:21 +01:00 · 2021-11-17 15:43:21 +01:00 · 0cd069ac1a
commit 0cd069ac1a
parent 7c6acbd4c6
2 changed files with 11 additions and 5 deletions
--- a/firewall/interception.go
+++ b/firewall/interception.go
@ -340,11 +340,19 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 		// Set tunnel options.
 		setCustomTunnelOptionsForPortmaster(conn)

+		// Redirect outbound DNS packests,
 	case pkt.IsOutbound() &&
 		pkt.Info().DstPort == 53 &&
-		conn.Process().Pid != ownPID &&
+		// that don't match the address of our nameserver,
 		nameserverIPMatcherReady.IsSet() &&
-		!nameserverIPMatcher(pkt.Info().Dst):
+		!nameserverIPMatcher(pkt.Info().Dst) &&
+		// and are not broadcast queries by us.
+		// Context:
+		// - Unicast queries by the resolver are pre-authenticated.
+		// - Unicast qeries by the compat self-check should be redirected.
+		!(conn.Process().Pid == ownPID &&
+			conn.Entity.IPScope == netutils.LocalMulticast):
+
 		// Reroute rogue dns queries back to Portmaster.
 		conn.Verdict = network.VerdictRerouteToNameserver
 		conn.Reason.Msg = "redirecting rogue dns query"
--- a/resolver/resolver-mdns.go
+++ b/resolver/resolver-mdns.go
@ -9,11 +9,9 @@ import (
 	"sync"
 	"time"

-	"github.com/safing/portmaster/network/netutils"
-
 	"github.com/miekg/dns"
-
 	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/network/netutils"
 )

 // DNS Classes