From f5afe8b5dfa1daa1e9e95bc51190f598cf4b4937 Mon Sep 17 00:00:00 2001
From: Daniel <dhaavi@users.noreply.github.com>
Date: Fri, 15 Apr 2022 13:06:13 +0200
Subject: [PATCH] Block DNS requests if bypass prevention is active

---
 firewall/bypassing.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/firewall/bypassing.go b/firewall/bypassing.go
index 4f6b0f1d..cf8502cb 100644
--- a/firewall/bypassing.go
+++ b/firewall/bypassing.go
@@ -43,8 +43,12 @@ func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.
 		return endpoints.NoMatch, "", nil
 	}
 
-	// Block bypass attempts using an encrypted DNS server.
+	// Block bypass attempts using an (encrypted) DNS server.
 	switch {
+	case conn.Entity.Port == 53:
+		return endpoints.Denied,
+			"blocked DNS query, manual dns setup required",
+			nsutil.BlockIP()
 	case conn.Entity.Port == 853:
 		// Block connections to port 853 - DNS over TLS.
 		fallthrough