From 515b5b6481b03165095cc4868ca8a86987cab8fa Mon Sep 17 00:00:00 2001
From: "Jason A. Donenfeld" <Jason@zx2c4.com>
Date: Mon, 13 May 2019 12:01:08 +0200
Subject: firewall: only allow specified dns servers

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 service/ifaceconfig.go | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

(limited to 'service/ifaceconfig.go')

diff --git a/service/ifaceconfig.go b/service/ifaceconfig.go
index c6458b4e..2e4307cf 100644
--- a/service/ifaceconfig.go
+++ b/service/ifaceconfig.go
@@ -314,7 +314,6 @@ func configureInterface(conf *conf.Config, tun *tun.NativeTun) error {
 }
 
 func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error {
-	restrictDNS := len(conf.Interface.Dns) > 0
 	restrictAll := false
 	if len(conf.Peers) == 1 {
 	nextallowedip:
@@ -330,9 +329,9 @@ func enableFirewall(conf *conf.Config, tun *tun.NativeTun) error {
 			}
 		}
 	}
-	if restrictAll && !restrictDNS {
+	if restrictAll && len(conf.Interface.Dns) == 0 {
 		name, _ := tun.Name()
 		log.Printf("[%s] Warning: no DNS server specified, despite having an allowed IPs of 0.0.0.0/0 or ::/0. There may be connectivity issues.", name)
 	}
-	return firewall.EnableFirewall(tun.LUID(), restrictDNS, restrictAll)
+	return firewall.EnableFirewall(tun.LUID(), conf.Interface.Dns, restrictAll)
 }
-- 
cgit v1.2.3-59-g8ed1b