Disable DNS redirect when custom DNS is set to localhost

talpid-core/src/dns/mod.rs

@@ -133,6 +133,19 @@ impl ResolvedDnsConfig {
     pub fn addresses(self) -> impl Iterator<Item = IpAddr> {
         self.non_tunnel_config.into_iter().chain(self.tunnel_config)
     }
+
+    /// Return whether the config contains only (and at least one) loopback addresses, and zero
+    /// non-loopback addresses
+    pub fn is_loopback(&self) -> bool {
+        let (loopback_addrs, non_loopback_addrs) = self
+            .tunnel_config
+            .iter()
+            .chain(self.non_tunnel_config.iter())
+            .copied()
+            .partition::<Vec<_>, _>(|ip| ip.is_loopback());
+
+        !loopback_addrs.is_empty() && non_loopback_addrs.is_empty()
+    }
 }
 
 /// Sets and monitors system DNS settings. Makes sure the desired DNS servers are being used.

talpid-core/src/firewall/macos.rs

@@ -198,6 +198,7 @@ impl Firewall {
         policy: &FirewallPolicy,
     ) -> Result<Vec<pfctl::RedirectRule>> {
         let redirect_rules = match policy {
+            FirewallPolicy::Connected { dns_config, .. } if dns_config.is_loopback() => vec![],
             FirewallPolicy::Blocked {
                 dns_redirect_port, ..
             }

talpid-core/src/tunnel_state_machine/connected_state.rs

@@ -165,11 +165,15 @@ impl ConnectedState {
 
         // On macOS, configure only the local DNS resolver
         #[cfg(target_os = "macos")]
-        shared_values.runtime.block_on(
-            shared_values
-                .filtering_resolver
-                .enable_forward(dns_config.addresses().collect()),
-        );
+        if !dns_config.is_loopback() {
+            shared_values.runtime.block_on(
+                shared_values
+                    .filtering_resolver
+                    .enable_forward(dns_config.addresses().collect()),
+            );
+        } else {
+            log::debug!("Not enabling DNS forwarding since loopback is used");
+        }
 
         Ok(())
     }