From 0cd069ac1a537e2ff098717d61c238f3f83322ab Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Wed, 17 Nov 2021 15:43:21 +0100
Subject: [PATCH] Improve dns redirection for the self-check

---
 firewall/interception.go  | 12 ++++++++++--
 resolver/resolver-mdns.go |  4 +---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/firewall/interception.go b/firewall/interception.go
index 8a500f3a..b90f697f 100644
--- a/firewall/interception.go
+++ b/firewall/interception.go
@@ -340,11 +340,19 @@ func initialHandler(conn *network.Connection, pkt packet.Packet) {
 		// Set tunnel options.
 		setCustomTunnelOptionsForPortmaster(conn)
 
+		// Redirect outbound DNS packests,
 	case pkt.IsOutbound() &&
 		pkt.Info().DstPort == 53 &&
-		conn.Process().Pid != ownPID &&
+		// that don't match the address of our nameserver,
 		nameserverIPMatcherReady.IsSet() &&
-		!nameserverIPMatcher(pkt.Info().Dst):
+		!nameserverIPMatcher(pkt.Info().Dst) &&
+		// and are not broadcast queries by us.
+		// Context:
+		// - Unicast queries by the resolver are pre-authenticated.
+		// - Unicast qeries by the compat self-check should be redirected.
+		!(conn.Process().Pid == ownPID &&
+			conn.Entity.IPScope == netutils.LocalMulticast):
+
 		// Reroute rogue dns queries back to Portmaster.
 		conn.Verdict = network.VerdictRerouteToNameserver
 		conn.Reason.Msg = "redirecting rogue dns query"
diff --git a/resolver/resolver-mdns.go b/resolver/resolver-mdns.go
index 59f20884..48601386 100644
--- a/resolver/resolver-mdns.go
+++ b/resolver/resolver-mdns.go
@@ -9,11 +9,9 @@ import (
 	"sync"
 	"time"
 
-	"github.com/safing/portmaster/network/netutils"
-
 	"github.com/miekg/dns"
-
 	"github.com/safing/portbase/log"
+	"github.com/safing/portmaster/network/netutils"
 )
 
 // DNS Classes