-
-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathDNSModule+NE.swift
More file actions
81 lines (75 loc) · 3.53 KB
/
DNSModule+NE.swift
File metadata and controls
81 lines (75 loc) · 3.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
// SPDX-FileCopyrightText: 2026 Davide De Rosa
//
// SPDX-License-Identifier: GPL-3.0
import NetworkExtension
extension DNSModule: NESettingsApplying {
public func apply(_ ctx: PartoutLoggerContext, to settings: inout NEPacketTunnelNetworkSettings) {
let dnsSettings: NEDNSSettings
let rawServers = servers.map(\.rawValue)
// Former DNS settings are always overridden, even with empty servers
switch protocolType {
case .cleartext:
guard !rawServers.isEmpty else {
pp_log(ctx, .os, .info, "\t\tSkip DNS settings, cleartext requires non-empty servers")
return
}
dnsSettings = NEDNSSettings(servers: rawServers)
pp_log(ctx, .os, .info, "\t\tServers: \(servers.map { $0.asSensitiveAddress(ctx) })")
case .https(let url):
let specificSettings = NEDNSOverHTTPSSettings(servers: rawServers)
specificSettings.serverURL = url
dnsSettings = specificSettings
pp_log(ctx, .os, .info, "\t\tServers: \(servers.map { $0.asSensitiveAddress(ctx) })")
pp_log(ctx, .os, .info, "\t\tDoH URL: \(url.absoluteString.asSensitiveAddress(ctx))")
case .tls(let hostname):
let specificSettings = NEDNSOverTLSSettings(servers: rawServers)
specificSettings.serverName = hostname
dnsSettings = specificSettings
pp_log(ctx, .os, .info, "\t\tServers: \(servers.map { $0.asSensitiveAddress(ctx) })")
pp_log(ctx, .os, .info, "\t\tDoT hostname: \(hostname.asSensitiveAddress(ctx))")
@unknown default:
break
}
// Search domains
domainName.map {
dnsSettings.domainName = $0.rawValue
pp_log(ctx, .os, .info, "\t\tDomain: \($0.asSensitiveAddress(ctx))")
}
searchDomains.map {
var list = $0.map(\.rawValue)
// Assume domain name to be first search domain
if let domainName {
list.insert(domainName.rawValue, at: 0)
}
guard !list.isEmpty else { return }
dnsSettings.searchDomains = list
pp_log(ctx, .os, .info, "\t\tSearch domains: \(list.map { $0.asSensitiveAddress(ctx) })")
}
// This is why we guard before setting .matchDomains:
// https://git.zx2c4.com/wireguard-apple/commit/?id=20bdf46792905de8862ae7641e50e0f9f99ec946
//
let searchDomains = dnsSettings.searchDomains ?? []
let canSetMatchDomains = !dnsSettings.servers.isEmpty || !searchDomains.isEmpty
if canSetMatchDomains {
//
// Credit for .matchDomains:
// https://github.com/WireGuard/wireguard-apple/pull/11
//
if let matchDomains, !matchDomains.isEmpty {
dnsSettings.matchDomains = matchDomains.map(\.rawValue)
// True if any search domain is in match domains
dnsSettings.matchDomainsNoSearch = !matchDomains.contains {
searchDomains.contains($0.rawValue)
}
} else {
// Add "" so that all DNS queries must first go through the tunnel's DNS.
// NEDNSSettings.searchDomains does not work so we add the searches to
// matchDomains, which does work.
dnsSettings.matchDomains = [""] + searchDomains
dnsSettings.matchDomainsNoSearch = false
}
}
// Commit to tunnel settings
settings.dnsSettings = dnsSettings
}
}