From 7ca61bf24e88634e72ece1ea34d53cce3a61a3be Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Thu, 29 Oct 2020 16:36:13 +0100
Subject: [PATCH] Block DNS servers in prevent bypassing check

---
 firewall/bypassing.go | 10 ++++++++++
 profile/config.go     |  3 ++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/firewall/bypassing.go b/firewall/bypassing.go
index cd811d8c..bfe76adf 100644
--- a/firewall/bypassing.go
+++ b/firewall/bypassing.go
@@ -8,6 +8,10 @@ import (
 	"github.com/safing/portmaster/profile/endpoints"
 )
 
+var (
+	resolverFilterLists = []string{"17-DNS"}
+)
+
 // PreventBypassing checks if the connection should be denied or permitted
 // based on some bypass protection checks.
 func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
@@ -18,5 +22,11 @@ func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsu
 			nsutil.NxDomain()
 	}
 
+	if conn.Entity.MatchLists(resolverFilterLists) {
+		return endpoints.Denied,
+			"blocked rogue connection to DNS resolver",
+			nsutil.ZeroIP()
+	}
+
 	return endpoints.NoMatch, "", nil
 }
diff --git a/profile/config.go b/profile/config.go
index 494fc806..607ff0cd 100644
--- a/profile/config.go
+++ b/profile/config.go
@@ -481,7 +481,8 @@ Examples:
 		Key:  CfgOptionPreventBypassingKey,
 		Description: `Prevent apps from bypassing the privacy filter.  
 Current Features:  
-- Disable Firefox' internal DNS-over-HTTPs resolver`,
+- Disable Firefox' internal DNS-over-HTTPs resolver
+- Block direct access to public DNS resolvers`,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelUser,
 		ReleaseLevel:   config.ReleaseLevelBeta,