Rework DnsConfig, remove ability to disable local resolver

Author: pronebird

nym-vpn-core/Cargo.lock

@@ -303,9 +303,6 @@ make -C nym-vpn-core -f Android.mk
         - `netsh`: use the `netsh` program
         - `tcpip`: set TCP/IP parameters in the registry
 
-- `NYM_DISABLE_LOCAL_DNS_RESOLVER` - Set this variable to `1` to disable the local DNS resolver
-  (macOS only).
-
 - `NYM_DISABLE_OFFLINE_MONITOR` - Set to `1` to forces the daemon to always assume the host is online.
 
 - `NYM_USE_PATH_MONITOR` - Set to `1` to use Apple Network framework for offline monitoring. (macOS only)

nym-vpn-core/README.md

@@ -2,7 +2,7 @@
 // Copyright 2024 Nym Technologies SA <contact@nymtech.net>
 // SPDX-License-Identifier: GPL-3.0-only
 
-use crate::ResolvedDnsConfig;
+use crate::DnsConfig;
 
 /// Stub error type for DNS errors on Android.
 #[derive(Debug, thiserror::Error)]
@@ -18,11 +18,7 @@ impl super::DnsMonitorT for DnsMonitor {
         Ok(DnsMonitor)
     }
 
-    async fn set(
-        &mut self,
-        _interface: &str,
-        _servers: ResolvedDnsConfig,
-    ) -> Result<(), Self::Error> {
+    async fn set(&mut self, _interface: &str, _servers: DnsConfig) -> Result<(), Self::Error> {
         Ok(())
     }
 

nym-vpn-core/crates/nym-dns/src/android.rs

@@ -2,7 +2,7 @@
 // Copyright 2024 Nym Technologies SA <contact@nymtech.net>
 // SPDX-License-Identifier: GPL-3.0-only
 
-use std::{fmt, net::IpAddr};
+use std::net::IpAddr;
 
 #[cfg(target_os = "linux")]
 use nym_routing::RouteManagerHandle;
@@ -31,142 +31,13 @@ pub use self::imp::Error;
 pub use imp::flush_resolver_cache;
 
 /// DNS configuration
-#[derive(Debug, Clone, PartialEq)]
+#[derive(Debug, Clone, PartialEq, Eq)]
 pub struct DnsConfig {
-    config: InnerDnsConfig,
-}
-
-impl Default for DnsConfig {
-    fn default() -> Self {
-        Self {
-            config: InnerDnsConfig::Default,
-        }
-    }
-}
-
-impl DnsConfig {
-    /// Use the specified addresses for DNS resolution
-    pub fn from_addresses(tunnel_config: &[IpAddr], non_tunnel_config: &[IpAddr]) -> Self {
-        DnsConfig {
-            config: InnerDnsConfig::Override {
-                tunnel_config: tunnel_config.to_owned(),
-                non_tunnel_config: non_tunnel_config.to_owned(),
-            },
-        }
-    }
-}
+    /// DNS server addresses
+    pub addresses: Vec<IpAddr>,
 
-impl DnsConfig {
-    pub fn resolve(
-        &self,
-        default_tun_config: &[IpAddr],
-        #[cfg(not(any(target_os = "android", target_os = "ios")))] port: u16,
-    ) -> ResolvedDnsConfig {
-        match &self.config {
-            InnerDnsConfig::Default => ResolvedDnsConfig {
-                tunnel_config: default_tun_config.to_owned(),
-                non_tunnel_config: vec![],
-                #[cfg(not(any(target_os = "android", target_os = "ios")))]
-                port,
-            },
-            InnerDnsConfig::Override {
-                tunnel_config,
-                non_tunnel_config,
-            } => ResolvedDnsConfig {
-                tunnel_config: tunnel_config.to_owned(),
-                non_tunnel_config: non_tunnel_config.to_owned(),
-                #[cfg(not(any(target_os = "android", target_os = "ios")))]
-                port,
-            },
-        }
-    }
-}
-
-#[derive(Debug, Clone, PartialEq)]
-enum InnerDnsConfig {
-    /// Use gateway addresses from the tunnel config
-    Default,
-    /// Use the specified addresses for DNS resolution
-    Override {
-        /// Addresses to configure on the tunnel interface
-        tunnel_config: Vec<IpAddr>,
-        /// Addresses to allow on non-tunnel interface.
-        /// For the most part, the tunnel state machine will not handle any of this configuration
-        /// on non-tunnel interface, only allow them in the firewall.
-        non_tunnel_config: Vec<IpAddr>,
-    },
-}
-
-/// DNS configuration with `DnsConfig::Default` resolved
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub struct ResolvedDnsConfig {
-    /// Addresses to configure on the tunnel interface
-    tunnel_config: Vec<IpAddr>,
-    /// Addresses to allow on non-tunnel interface.
-    /// For the most part, the tunnel state machine will not handle any of this configuration
-    /// on non-tunnel interface, only allow them in the firewall.
-    non_tunnel_config: Vec<IpAddr>,
     /// Port to use
-    #[cfg(not(any(target_os = "android", target_os = "ios")))]
-    port: u16,
-}
-
-impl fmt::Display for ResolvedDnsConfig {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        f.write_str("Tunnel DNS: ")?;
-        Self::fmt_addr_set(f, &self.tunnel_config)?;
-
-        f.write_str(" Non-tunnel DNS: ")?;
-        Self::fmt_addr_set(f, &self.non_tunnel_config)?;
-
-        #[cfg(not(any(target_os = "android", target_os = "ios")))]
-        write!(f, " Port: {}", self.port)?;
-
-        Ok(())
-    }
-}
-
-impl ResolvedDnsConfig {
-    fn fmt_addr_set(f: &mut fmt::Formatter<'_>, addrs: &[IpAddr]) -> fmt::Result {
-        f.write_str("{")?;
-        for (i, addr) in addrs.iter().enumerate() {
-            if i > 0 {
-                f.write_str(", ")?;
-            }
-            write!(f, "{addr}")?;
-        }
-        f.write_str("}")
-    }
-
-    /// Addresses to configure on the tunnel interface
-    pub fn tunnel_config(&self) -> &[IpAddr] {
-        &self.tunnel_config
-    }
-
-    /// Addresses to allow on non-tunnel interface.
-    /// For the most part, the tunnel state machine will not handle any of this configuration
-    /// on non-tunnel interface, only allow them in the firewall.
-    pub fn non_tunnel_config(&self) -> &[IpAddr] {
-        &self.non_tunnel_config
-    }
-
-    /// Consume `self` and return a vector of all addresses
-    pub fn addresses(self) -> impl Iterator<Item = IpAddr> {
-        self.non_tunnel_config.into_iter().chain(self.tunnel_config)
-    }
-
-    /// Return whether the config contains only (and at least one) loopback addresses, and zero
-    /// non-loopback addresses
-    pub fn is_loopback(&self) -> bool {
-        let (loopback_addrs, non_loopback_addrs) = self
-            .tunnel_config
-            .iter()
-            .chain(self.non_tunnel_config.iter())
-            .copied()
-            .partition::<Vec<_>, _>(|ip| ip.is_loopback());
-
-        !loopback_addrs.is_empty() && non_loopback_addrs.is_empty()
-    }
+    pub port: u16,
 }
 
 /// Sets and monitors system DNS settings. Makes sure the desired DNS servers are being used.
@@ -188,8 +59,8 @@ impl DnsMonitor {
     }
 
     /// Set DNS to the given servers. And start monitoring the system for changes.
-    pub async fn set(&mut self, interface: &str, config: ResolvedDnsConfig) -> Result<(), Error> {
-        tracing::info!("Setting DNS servers on interface '{interface}': {config}");
+    pub async fn set(&mut self, interface: &str, config: DnsConfig) -> Result<(), Error> {
+        tracing::info!("Setting DNS servers on interface '{interface}': {config:?}");
         self.inner.set(interface, config).await
     }
 
@@ -216,8 +87,7 @@ trait DnsMonitorT: Sized {
         #[cfg(target_os = "linux")] route_manager: RouteManagerHandle,
     ) -> Result<Self, Self::Error>;
 
-    async fn set(&mut self, interface: &str, servers: ResolvedDnsConfig)
-    -> Result<(), Self::Error>;
+    async fn set(&mut self, interface: &str, servers: DnsConfig) -> Result<(), Self::Error>;
 
     async fn reset(&mut self) -> Result<(), Self::Error>;
 

nym-vpn-core/crates/nym-dns/src/lib.rs

@@ -30,7 +30,7 @@ use tokio::sync::Mutex;
 
 use nym_routing::debounce::BurstGuard;
 
-use super::ResolvedDnsConfig;
+use super::DnsConfig;
 
 pub type Result<T> = std::result::Result<T, Error>;
 
@@ -402,9 +402,9 @@ impl super::DnsMonitorT for DnsMonitor {
         })
     }
 
-    async fn set(&mut self, interface: &str, config: ResolvedDnsConfig) -> Result<()> {
+    async fn set(&mut self, interface: &str, config: DnsConfig) -> Result<()> {
         let port = config.port;
-        let servers: Vec<_> = config.addresses().collect();
+        let servers: Vec<_> = config.addresses;
 
         let mut state = self.state.lock().await;
         state.apply_new_config(&self.store, interface, &servers, port)

nym-vpn-core/crates/nym-dns/src/macos.rs

@@ -20,7 +20,6 @@ libc.workspace = true
 thiserror.workspace = true
 tracing.workspace = true
 
-nym-dns.workspace = true
 nym-common.workspace = true
 nym-firewall-config.workspace = true
 

nym-vpn-core/crates/nym-firewall/Cargo.toml

@@ -3,12 +3,12 @@
 
 #[cfg(any(target_os = "linux", target_os = "macos"))]
 use std::net::Ipv6Addr;
+#[cfg(not(target_os = "android"))]
+use std::net::SocketAddr;
 use std::{borrow::Cow, fmt, net::IpAddr};
 
 #[cfg(any(target_os = "linux", target_os = "macos"))]
 use ipnetwork::Ipv6Network;
-#[cfg(not(target_os = "android"))]
-use nym_dns::ResolvedDnsConfig;
 
 #[cfg(target_os = "linux")]
 use nym_cgroup::v2::CGroup2;
@@ -34,6 +34,8 @@ mod imp;
 mod imp;
 
 mod net;
+#[cfg(not(target_os = "android"))]
+pub use net::AllowedDns;
 pub use net::{
     AllowedClients, AllowedEndpoint, AllowedTunnelTraffic, Endpoint, TransportProtocol,
     TunnelInterface, TunnelMetadata,
@@ -76,11 +78,6 @@ const ROOT_UID: u32 = 0;
 const DNS_TCP_PORTS: [u16; 2] = [443, 853];
 
 /// A enum that describes network security strategy
-///
-/// # Firewall block/allow specification.
-///
-/// See the [security](../../../docs/security.md) document for the specification on how to
-/// implement these policies and what should and should not be allowed to flow.
 #[derive(Debug, Clone, Eq, PartialEq)]
 pub enum FirewallPolicy {
     /// Allow traffic only to server
@@ -93,7 +90,7 @@ pub enum FirewallPolicy {
         allow_lan: bool,
         /// Servers that are allowed to respond to DNS requests.
         #[cfg(not(target_os = "android"))]
-        dns_config: ResolvedDnsConfig,
+        dns_config: AllowedDns,
         /// Hosts that should be reachable while connecting.
         allowed_endpoints: Vec<AllowedEndpoint>,
         /// Networks for which to permit entry in-tunnel traffic.
@@ -116,7 +113,7 @@ pub enum FirewallPolicy {
         allow_lan: bool,
         /// Servers that are allowed to respond to DNS requests.
         #[cfg(not(target_os = "android"))]
-        dns_config: ResolvedDnsConfig,
+        dns_config: AllowedDns,
         /// Interface to redirect (VPN tunnel) traffic to
         #[cfg(target_os = "macos")]
         redirect_interface: Option<String>,
@@ -214,7 +211,7 @@ impl FirewallPolicy {
     }
 
     #[cfg(not(target_os = "android"))]
-    pub fn dns_config(&self) -> Option<&ResolvedDnsConfig> {
+    pub fn dns_config(&self) -> Option<&AllowedDns> {
         match self {
             FirewallPolicy::Connecting { dns_config, .. }
             | FirewallPolicy::Connected { dns_config, .. } => Some(dns_config),
@@ -313,14 +310,14 @@ impl fmt::Display for FirewallPolicy {
 }
 
 #[cfg(not(target_os = "android"))]
-fn display_allowed_non_tunnel_dns(dns_config: &ResolvedDnsConfig) -> String {
-    if dns_config.non_tunnel_config().is_empty() {
+fn display_allowed_non_tunnel_dns(dns_config: &AllowedDns) -> String {
+    if dns_config.non_tunnel_dns().is_empty() {
         "none".to_owned()
     } else {
         dns_config
-            .non_tunnel_config()
+            .non_tunnel_dns()
             .iter()
-            .map(|ip| ip.to_string())
+            .map(|ep| ep.to_string())
             .collect::<Vec<_>>()
             .join(",")
     }