Block DNS servers in prevent bypassing check

firewall/bypassing.go

@@ -8,6 +8,10 @@ import (
 	"github.com/safing/portmaster/profile/endpoints"
 )
 
+var (
+	resolverFilterLists = []string{"17-DNS"}
+)
+
 // PreventBypassing checks if the connection should be denied or permitted
 // based on some bypass protection checks.
 func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
@@ -18,5 +22,11 @@ func PreventBypassing(conn *network.Connection) (endpoints.EPResult, string, nsu
 			nsutil.NxDomain()
 	}
 
+	if conn.Entity.MatchLists(resolverFilterLists) {
+		return endpoints.Denied,
+			"blocked rogue connection to DNS resolver",
+			nsutil.ZeroIP()
+	}
+
 	return endpoints.NoMatch, "", nil
 }

profile/config.go

@@ -481,7 +481,8 @@ Examples:
 		Key:  CfgOptionPreventBypassingKey,
 		Description: `Prevent apps from bypassing the privacy filter.  
 Current Features:  
-- Disable Firefox' internal DNS-over-HTTPs resolver`,
+- Disable Firefox' internal DNS-over-HTTPs resolver
+- Block direct access to public DNS resolvers`,
 		OptType:        config.OptTypeInt,
 		ExpertiseLevel: config.ExpertiseLevelUser,
 		ReleaseLevel:   config.ReleaseLevelBeta,