Enable secure DNS in DNS forwarder

[pronebird]

Ticket

JIRA-NYM-1198

Description

TBD

Checklist:

• Changelog

Screenshots (optional, if UI related)

---

This change is 

Summary by CodeRabbit

• New Features

  • Secure DNS is now enabled for requests forwarded by the local resolver.

• Documentation

  • Removed the documented environment variable for disabling the local DNS resolver.

• Refactor

  • Unified DNS handling: resolver and tunnel now use configured nameserver entries consistently.
  • Firewall and tunnel DNS behavior updated to use endpoint-based allowances and more consistent cross-platform handling.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Refactors DNS types to plain nym-dns::DnsConfig, migrates resolver forwarding to hickory NameServerConfig, adds AllowedDns for firewall endpoint classification, updates platform DNS monitors and macOS PF rules to use endpoints, and adapts the tunnel state machine and DNS handler to the new APIs.

Changes

DNS Configuration Refactoring

Layer / File(s)	Summary
DnsConfig simplification and monitor updates nym-vpn-core/crates/nym-dns/src/lib.rs, nym-vpn-core/crates/nym-dns/src/android.rs, nym-vpn-core/crates/nym-dns/src/macos.rs	Replace wrapper/resolved model with pub struct DnsConfig { pub addresses: Vec<IpAddr>, pub port: u16 }; update DnsMonitor::set/DnsMonitorT::set signatures and platform monitor code to accept DnsConfig.
Resolver NameServerConfig integration & DNS constants nym-vpn-core/crates/nym-vpn-lib/Cargo.toml, nym-vpn-core/crates/nym-vpn-lib/src/lib.rs, nym-vpn-core/crates/nym-vpn-lib/src/resolver/mod.rs, nym-vpn-core/crates/nym-vpn-lib/src/service/vpn_service.rs	Forwarding resolver and enable_forward now use hickory_resolver::config::NameServerConfig; LOCAL_DNS_RESOLVER static removed; public DEFAULT_DNS_SERVERS removed in favor of DEFAULT_DNS_SERVERS_CONFIG; added hickory-resolver features.
AllowedDns and firewall API updates nym-vpn-core/crates/nym-firewall/Cargo.toml, nym-vpn-core/crates/nym-firewall/src/lib.rs, nym-vpn-core/crates/nym-firewall/src/net.rs	Add AllowedDns (partitioned Vec<Endpoint> for tunnel_dns/non_tunnel_dns), re-export it from the firewall crate, replace ResolvedDnsConfig uses in FirewallPolicy with AllowedDns, and remove nym-dns workspace entry where present.
macOS firewall endpoint-driven rules nym-vpn-core/crates/nym-firewall/src/macos.rs	Refactor macOS PF helpers and state-preservation logic to operate on Endpoint descriptors and protocol-aware matching; rule builders now accept &Endpoint.
TunnelSettings helpers and TunnelMonitor DNS selection nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/mod.rs, .../tunnel_monitor.rs	Add TunnelSettings::resolver_config(), android_tunnel_dns(), and (non-Android/iOS) allowed_dns_endpoints()/allowed_default_dns_endpoints(); remove old resolved_dns_config/dns_ips APIs; set tunnel options' dns to vec![] for non-Android when using system resolver; split mobile DNS helpers.
DnsHandler and state machine updates nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/dns_handler.rs, .../states/*	DnsHandler::set, DnsHandlerHandle::set, and DnsHandlerCommand::Set switch to nym_dns::DnsConfig. Connected/Connecting/Error/Offline states now use resolver_config() and AllowedDns, unconditionally enable forwarding to the filtering resolver, and simplify macOS local-resolver setup and DNS reset gating. Unit tests updated to construct AllowedDns endpoints.
Docs and changelog nym-vpn-core/CHANGELOG.md, nym-vpn-core/README.md	Changelog notes secure DNS for forwarded requests; README removes NYM_DISABLE_LOCAL_DNS_RESOLVER env var entry.

Estimated code review effort:
🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly Related PRs

• nymtech/nym-vpn-client#5444: Both PRs modify tunnel_state_machine/tunnel_monitor.rs DNS selection and local resolver usage on mobile/iOS.
• nymtech/nym-vpn-client#5227: Overlaps with resolver forwarding and local DNS resolver integration changes in the tunnel state machine and resolver module.
• nymtech/nym-vpn-client#5279: Hickory-resolver and system DNS handling changes related to the resolver update in this PR.

Suggested Reviewers

• trojanfoe
• neacsu
• agentpietrucha

"🐇
I hopped through types, tidy and bright,
Flattened configs in morning light,
Endpoints sorted, resolvers tuned,
Firewall rules neatly hewn,
A joyful hop — the code feels light."

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is largely incomplete; the description body states 'TBD' instead of providing a substantive explanation of the changes, motivation, or context required by the template.	Replace 'TBD' with a detailed explanation of the DNS refactoring changes, the rationale for removing ResolvedDnsConfig, and how the new structure enables secure DNS in the forwarder.
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.93% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Enable secure DNS in DNS forwarder' is concise and directly related to the primary changes in this PR, which refactor DNS configuration to use secure DNS endpoints throughout the forwarder system.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch nym-1198-encrypted-dns

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@nym-vpn-core/crates/nym-firewall/src/net.rs`:
- Around line 313-324: The partition currently uses endpoints.iter() producing
Vec<&Endpoint> which mismatches AllowedDns fields that expect Vec<Endpoint>;
change the iterator to consume ownership by using
endpoints.into_iter().partition(...) so partition returns owned Endpoint values,
and update the closure to accept owned Endpoint (keep the predicate
nym_firewall_config::is_local_address(&ep.address.ip())). Populate
non_tunnel_dns and tunnel_dns with those owned vectors.

In `@nym-vpn-core/crates/nym-vpn-lib/src/service/vpn_service.rs`:
- Around line 1458-1460: handle_get_default_dns currently maps
DEFAULT_DNS_SERVERS_CONFIG per-protocol entries to a Vec<IpAddr>, producing
duplicates; change handle_get_default_dns to deduplicate IPs before returning
(e.g. collect mapped IPs into a HashSet or filter while preserving order by
pushing only unseen IPs into the result Vec) so the returned Vec<IpAddr>
contains each resolver once; reference DEFAULT_DNS_SERVERS_CONFIG and the async
fn handle_get_default_dns to locate and update the logic.

In `@nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/dns_handler.rs`:
- Line 4: Run rustfmt (cargo fmt) on this file to apply canonical formatting:
let rustfmt reorder the import to what it expects (nym_dns::{DnsConfig,
DnsMonitor} or similar) and collapse the DnsHandler::set(...) call into the
single-line form rustfmt produces; after running cargo fmt for the crate, review
the changes (notably the nym_dns import and DnsHandler::set usage) and commit
them so CI formatting checks pass.

In `@nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/mod.rs`:
- Around line 230-249: tunnel_dns() currently returns duplicate resolver IPs
when DnsOptions::Default is used because DEFAULT_DNS_SERVERS_CONFIG contains one
entry per transport; update tunnel_dns (the match arm for DnsOptions::Default
and the branch that handles empty custom addrs) to produce a deduplicated,
stable list of IpAddr values (e.g., collect into a HashSet or use sort+dedup)
before applying the IPv6 filter and returning; ensure you still respect
self.enable_ipv6 and preserve the existing behavior for custom non-empty lists.
- Around line 289-297: allowed_default_dns_endpoints() currently maps
ProtocolConfig::H3 to nym_firewall::TransportProtocol::Tcp but H3 represents
DoH3 over QUIC (UDP); update the mapping inside the ns.connections.iter().map
closure (the match on conn.protocol) so that ProtocolConfig::H3 { .. } is
treated like the QUIC/UDP branch and returns
nym_firewall::TransportProtocol::Udp instead of Tcp, ensuring H3 nameservers are
allowed over UDP in the firewall allowlist.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 884c6a81-8ecb-4087-9312-ee2dcfa944c1

📥 Commits

Reviewing files that changed from the base of the PR and between 20523aa and cdcd605.

⛔ Files ignored due to path filters (1)

• nym-vpn-core/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (20)

• nym-vpn-core/CHANGELOG.md
• nym-vpn-core/README.md
• nym-vpn-core/crates/nym-dns/src/android.rs
• nym-vpn-core/crates/nym-dns/src/lib.rs
• nym-vpn-core/crates/nym-dns/src/macos.rs
• nym-vpn-core/crates/nym-firewall/Cargo.toml
• nym-vpn-core/crates/nym-firewall/src/lib.rs
• nym-vpn-core/crates/nym-firewall/src/macos.rs
• nym-vpn-core/crates/nym-firewall/src/net.rs
• nym-vpn-core/crates/nym-vpn-lib/Cargo.toml
• nym-vpn-core/crates/nym-vpn-lib/src/lib.rs
• nym-vpn-core/crates/nym-vpn-lib/src/resolver/mod.rs
• nym-vpn-core/crates/nym-vpn-lib/src/service/vpn_service.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/dns_handler.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/mod.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connected_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connecting_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/error_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/offline_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/tunnel_monitor.rs

💤 Files with no reviewable changes (2)

• nym-vpn-core/README.md
• nym-vpn-core/crates/nym-firewall/Cargo.toml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@nym-vpn-core/crates/nym-firewall/src/macos.rs`:
- Around line 503-521: The current loops over dns_config.tunnel_dns() and
dns_config.non_tunnel_dns() incorrectly filter endpoints to port()==53, which
removes connected-state allow rules for secure DNS on 853/443; remove the
port()==53 guard so you still call
get_allow_tunnel_dns_rules_when_connected(exit_tunnel, dns_endpoint) for every
tunnel_dns() entry and get_allow_local_dns_rules_when_connected(exit_tunnel,
dns_endpoint) for every non_tunnel_dns() entry (retain the port==53 check only
where get_block_dns_rules() requires it), ensuring encrypted upstreams still get
explicit allow rules when connected and split tunneling is enabled.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 98768969-f0c3-482c-979a-dbc6cdc4c217

📥 Commits

Reviewing files that changed from the base of the PR and between 2fb5e76 and beab404.

⛔ Files ignored due to path filters (1)

• nym-vpn-core/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (20)

• nym-vpn-core/CHANGELOG.md
• nym-vpn-core/README.md
• nym-vpn-core/crates/nym-dns/src/android.rs
• nym-vpn-core/crates/nym-dns/src/lib.rs
• nym-vpn-core/crates/nym-dns/src/macos.rs
• nym-vpn-core/crates/nym-firewall/Cargo.toml
• nym-vpn-core/crates/nym-firewall/src/lib.rs
• nym-vpn-core/crates/nym-firewall/src/macos.rs
• nym-vpn-core/crates/nym-firewall/src/net.rs
• nym-vpn-core/crates/nym-vpn-lib/Cargo.toml
• nym-vpn-core/crates/nym-vpn-lib/src/lib.rs
• nym-vpn-core/crates/nym-vpn-lib/src/resolver/mod.rs
• nym-vpn-core/crates/nym-vpn-lib/src/service/vpn_service.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/dns_handler.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/mod.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connected_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connecting_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/error_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/offline_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/tunnel_monitor.rs

💤 Files with no reviewable changes (2)

• nym-vpn-core/README.md
• nym-vpn-core/crates/nym-firewall/Cargo.toml

✅ Files skipped from review due to trivial changes (1)

• nym-vpn-core/CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (13)

• nym-vpn-core/crates/nym-firewall/src/net.rs
• nym-vpn-core/crates/nym-dns/src/android.rs
• nym-vpn-core/crates/nym-vpn-lib/src/service/vpn_service.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/dns_handler.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/offline_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/lib.rs
• nym-vpn-core/crates/nym-firewall/src/lib.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/error_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/tunnel_monitor.rs
• nym-vpn-core/crates/nym-dns/src/lib.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/mod.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connected_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/resolver/mod.rs

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Don't skip connected-state rules for non-53 DNS endpoints.

Line 503 now gates both dns_config.tunnel_dns() and dns_config.non_tunnel_dns() on port() == 53. That drops the explicit allow rules for encrypted upstreams on 853/443: non-tunnel secure DNS has no later pass rule in the normal connected path, and secure tunnel DNS loses its only explicit exit-tunnel allow rule when split tunneling is enabled. get_block_dns_rules() explains why port 53 needs special handling, but not why the other DNS endpoints can be omitted entirely.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nym-vpn-core/crates/nym-firewall/src/macos.rs` around lines 503 - 521, The
current loops over dns_config.tunnel_dns() and dns_config.non_tunnel_dns()
incorrectly filter endpoints to port()==53, which removes connected-state allow
rules for secure DNS on 853/443; remove the port()==53 guard so you still call
get_allow_tunnel_dns_rules_when_connected(exit_tunnel, dns_endpoint) for every
tunnel_dns() entry and get_allow_local_dns_rules_when_connected(exit_tunnel,
dns_endpoint) for every non_tunnel_dns() entry (retain the port==53 check only
where get_block_dns_rules() requires it), ensuring encrypted upstreams still get
explicit allow rules when connected and split tunneling is enabled.

[pronebird]

This must be fixed now

[coderabbitai]

@pronebird, here is the fix. Both port guards should be removed — the comment reasoning is actually backwards: precisely because get_block_dns_rules() only targets port 53, non-53 upstreams (DoT/853, DoH/443) are not blocked by it, but they also have no explicit pass rule anywhere else in the connected path. For non_tunnel_dns this causes those requests to fall through to the catch-all drop. For tunnel_dns the impact is worse in split-tunnel mode where the explicit tunnel DNS rule is the only pass on the tunnel interface.

// In FirewallPolicy::Connected branch of get_policy_specific_rules

// Allow tunnel DNS on any port; the block-dns rules only target port 53
// so non-53 upstreams (DoT/853, DoH/443) require explicit rules here too.
// When split tunneling is active the general tunnel-allow rule is absent,
// making these per-endpoint rules the only pass on the tunnel interface.
for dns_endpoint in dns_config.tunnel_dns() {
    rules.push(self.get_allow_tunnel_dns_rules_when_connected(
        exit_tunnel,
        dns_endpoint,
    )?);
}
// Non-tunnel DNS must also be allowed for every port: the block-dns rules
// only drop port 53, but non-tunnel traffic never passes through the tunnel
// interface allow-all rule, so port-853/443 endpoints need an explicit pass.
for dns_endpoint in dns_config.non_tunnel_dns() {
    rules.append(
        &mut self
            .get_allow_local_dns_rules_when_connected(exit_tunnel, dns_endpoint)?,
    );
}

The only place the port-53 gate is legitimately needed is inside get_block_dns_rules() itself (which already hard-codes :53). The per-endpoint allow rules must be emitted for every port, especially now that this PR enables encrypted upstream DNS.

ʕ •ᴥ•ʔ on it

[coderabbitai]

♻️ Duplicate comments (1)

nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/dns_handler.rs (1)

4-4: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Fix import ordering to pass CI.

The pipeline is failing because cargo fmt expects the imports in alphabetical order: {DnsConfig, DnsMonitor} instead of {DnsMonitor, DnsConfig}.

Proposed fix

-use nym_dns::{DnsMonitor, DnsConfig};
+use nym_dns::{DnsConfig, DnsMonitor};

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/dns_handler.rs` at
line 4, The import list in dns_handler.rs is out of alphabetical order; update
the use statement to import DnsConfig before DnsMonitor (i.e., change use
nym_dns::{DnsMonitor, DnsConfig}; to use nym_dns::{DnsConfig, DnsMonitor};) so
cargo fmt/Cargo CI ordering checks pass and references to DnsMonitor and
DnsConfig remain unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/dns_handler.rs`:
- Line 4: The import list in dns_handler.rs is out of alphabetical order; update
the use statement to import DnsConfig before DnsMonitor (i.e., change use
nym_dns::{DnsMonitor, DnsConfig}; to use nym_dns::{DnsConfig, DnsMonitor};) so
cargo fmt/Cargo CI ordering checks pass and references to DnsMonitor and
DnsConfig remain unchanged.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e4eeb3d0-5789-4289-b22e-fc77a8373f80

📥 Commits

Reviewing files that changed from the base of the PR and between beab404 and 32e2bcd.

⛔ Files ignored due to path filters (1)

• nym-vpn-core/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (20)

• nym-vpn-core/CHANGELOG.md
• nym-vpn-core/README.md
• nym-vpn-core/crates/nym-dns/src/android.rs
• nym-vpn-core/crates/nym-dns/src/lib.rs
• nym-vpn-core/crates/nym-dns/src/macos.rs
• nym-vpn-core/crates/nym-firewall/Cargo.toml
• nym-vpn-core/crates/nym-firewall/src/lib.rs
• nym-vpn-core/crates/nym-firewall/src/macos.rs
• nym-vpn-core/crates/nym-firewall/src/net.rs
• nym-vpn-core/crates/nym-vpn-lib/Cargo.toml
• nym-vpn-core/crates/nym-vpn-lib/src/lib.rs
• nym-vpn-core/crates/nym-vpn-lib/src/resolver/mod.rs
• nym-vpn-core/crates/nym-vpn-lib/src/service/vpn_service.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/dns_handler.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/mod.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connected_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connecting_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/error_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/offline_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/tunnel_monitor.rs

💤 Files with no reviewable changes (2)

• nym-vpn-core/crates/nym-firewall/Cargo.toml
• nym-vpn-core/README.md

✅ Files skipped from review due to trivial changes (1)

• nym-vpn-core/CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (12)

• nym-vpn-core/crates/nym-dns/src/android.rs
• nym-vpn-core/crates/nym-vpn-lib/Cargo.toml
• nym-vpn-core/crates/nym-vpn-lib/src/service/vpn_service.rs
• nym-vpn-core/crates/nym-firewall/src/net.rs
• nym-vpn-core/crates/nym-dns/src/macos.rs
• nym-vpn-core/crates/nym-vpn-lib/src/lib.rs
• nym-vpn-core/crates/nym-firewall/src/macos.rs
• nym-vpn-core/crates/nym-firewall/src/lib.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/error_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/resolver/mod.rs
• nym-vpn-core/crates/nym-dns/src/lib.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connecting_state.rs

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/mod.rs`:
- Around line 232-259: The defaults closure and the subsequent handling of
self.dns can produce duplicate IPs; ensure the returned addrs vector contains
unique resolver IPs before filtering by IPv4/IPv6. Modify the defaults() closure
(or deduplicate right after building addrs) to remove duplicate IpAddr entries
while preserving order (e.g., track seen IPs with a HashSet and push only first
occurrences), then continue with addrs.retain(...) as before; update references
to defaults, DnsOptions::Default, DnsOptions::Custom, and the addrs variable
accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 1737a449-9d5f-46f6-9eb5-ec08dff29cd7

📥 Commits

Reviewing files that changed from the base of the PR and between 32e2bcd and 52a3a5f.

⛔ Files ignored due to path filters (1)

• nym-vpn-core/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (20)

• nym-vpn-core/CHANGELOG.md
• nym-vpn-core/README.md
• nym-vpn-core/crates/nym-dns/src/android.rs
• nym-vpn-core/crates/nym-dns/src/lib.rs
• nym-vpn-core/crates/nym-dns/src/macos.rs
• nym-vpn-core/crates/nym-firewall/Cargo.toml
• nym-vpn-core/crates/nym-firewall/src/lib.rs
• nym-vpn-core/crates/nym-firewall/src/macos.rs
• nym-vpn-core/crates/nym-firewall/src/net.rs
• nym-vpn-core/crates/nym-vpn-lib/Cargo.toml
• nym-vpn-core/crates/nym-vpn-lib/src/lib.rs
• nym-vpn-core/crates/nym-vpn-lib/src/resolver/mod.rs
• nym-vpn-core/crates/nym-vpn-lib/src/service/vpn_service.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/dns_handler.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/mod.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connected_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connecting_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/error_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/offline_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/tunnel_monitor.rs

💤 Files with no reviewable changes (2)

• nym-vpn-core/README.md
• nym-vpn-core/crates/nym-firewall/Cargo.toml

✅ Files skipped from review due to trivial changes (1)

• nym-vpn-core/CHANGELOG.md

🚧 Files skipped from review as they are similar to previous changes (14)

• nym-vpn-core/crates/nym-vpn-lib/src/service/vpn_service.rs
• nym-vpn-core/crates/nym-vpn-lib/Cargo.toml
• nym-vpn-core/crates/nym-firewall/src/net.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/error_state.rs
• nym-vpn-core/crates/nym-dns/src/macos.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connected_state.rs
• nym-vpn-core/crates/nym-dns/src/android.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/dns_handler.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/offline_state.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/tunnel_monitor.rs
• nym-vpn-core/crates/nym-vpn-lib/src/tunnel_state_machine/states/connecting_state.rs
• nym-vpn-core/crates/nym-dns/src/lib.rs
• nym-vpn-core/crates/nym-firewall/src/macos.rs
• nym-vpn-core/crates/nym-vpn-lib/src/resolver/mod.rs

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud