mirror of
https://github.com/safing/portmaster
synced 2025-04-22 11:59:09 +00:00
1a1bc14804
* [service] Subscribe to systemd-resolver events * [service] Add disabled state to the resolver * [service] Add ETW DNS event listener * [service] DNS listener refactoring * [service] Add windows core dll project * [service] DNSListener refactoring, small bugfixes * [service] Change dns bypass rule * [service] Update gitignore * [service] Remove shim from integration module * [service] Add DNS packet analyzer * [service] Add self-check in dns monitor * [service] Fix go linter errors * [CI] Add github workflow for the windows core dll * [service] Minor fixes to the dns monitor
94 lines
3 KiB
Go
94 lines
3 KiB
Go
package firewall
|
|
|
|
import (
|
|
"context"
|
|
"strings"
|
|
|
|
"github.com/safing/portmaster/service/compat"
|
|
"github.com/safing/portmaster/service/nameserver/nsutil"
|
|
"github.com/safing/portmaster/service/network"
|
|
"github.com/safing/portmaster/service/network/packet"
|
|
"github.com/safing/portmaster/service/profile/endpoints"
|
|
)
|
|
|
|
var resolverFilterLists = []string{"17-DNS"}
|
|
|
|
// PreventBypassing checks if the connection should be denied or permitted
|
|
// based on some bypass protection checks.
|
|
func PreventBypassing(ctx context.Context, conn *network.Connection) (endpoints.EPResult, string, nsutil.Responder) {
|
|
// Exclude incoming connections.
|
|
if conn.Inbound {
|
|
return endpoints.NoMatch, "", nil
|
|
}
|
|
|
|
// Exclude ICMP.
|
|
switch packet.IPProtocol(conn.Entity.Protocol) { //nolint:exhaustive // Checking for specific values only.
|
|
case packet.ICMP, packet.ICMPv6:
|
|
return endpoints.NoMatch, "", nil
|
|
}
|
|
|
|
// Block firefox canary domain to disable DoH.
|
|
// This MUST also affect the System Resolver, because the return value must
|
|
// be correct for this to work.
|
|
if strings.ToLower(conn.Entity.Domain) == "use-application-dns.net." {
|
|
return endpoints.Denied,
|
|
"blocked canary domain to prevent enabling of DNS-over-HTTPs",
|
|
nsutil.NxDomain()
|
|
}
|
|
|
|
// Exclude DNS requests coming from the System Resolver.
|
|
// This MUST also affect entities in the secure dns filter list, else the
|
|
// System Resolver is wrongly accused of bypassing.
|
|
if conn.Type == network.DNSRequest && conn.Process().IsSystemResolver() {
|
|
return endpoints.NoMatch, "", nil
|
|
}
|
|
|
|
// If Portmaster resolver is disabled allow requests going to system dns resolver.
|
|
// And allow all connections out of the System Resolver.
|
|
if module.instance.Resolver().IsDisabled() {
|
|
// TODO(vladimir): Is there a more specific check that can be done?
|
|
if conn.Process().IsSystemResolver() {
|
|
return endpoints.NoMatch, "", nil
|
|
}
|
|
if conn.Entity.Port == 53 && conn.Entity.IPScope.IsLocalhost() {
|
|
return endpoints.NoMatch, "", nil
|
|
}
|
|
}
|
|
|
|
// Block bypass attempts using an (encrypted) DNS server.
|
|
switch {
|
|
case looksLikeOutgoingDNSRequest(conn) && module.instance.Resolver().IsDisabled():
|
|
// Allow. Packet will be analyzed and blocked if its not a dns request, before sent.
|
|
conn.Inspecting = true
|
|
return endpoints.NoMatch, "", nil
|
|
case conn.Entity.Port == 53:
|
|
return endpoints.Denied,
|
|
"blocked DNS query, manual dns setup required",
|
|
nsutil.BlockIP()
|
|
case conn.Entity.Port == 853:
|
|
// Block connections to port 853 - DNS over TLS.
|
|
fallthrough
|
|
case conn.Entity.MatchLists(resolverFilterLists):
|
|
// Block connection entities in the secure dns filter list.
|
|
compat.ReportSecureDNSBypassIssue(conn.Process())
|
|
return endpoints.Denied,
|
|
"blocked rogue connection to DNS resolver",
|
|
nsutil.BlockIP()
|
|
}
|
|
|
|
return endpoints.NoMatch, "", nil
|
|
}
|
|
|
|
func looksLikeOutgoingDNSRequest(conn *network.Connection) bool {
|
|
// Outbound on remote port 53, UDP.
|
|
if conn.Inbound {
|
|
return false
|
|
}
|
|
if conn.Entity.Port != 53 {
|
|
return false
|
|
}
|
|
if conn.IPProtocol != packet.UDP {
|
|
return false
|
|
}
|
|
return true
|
|
}
|