From 5532f1f382cadc82a6d9ad9700c23df4744bc96e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20L=C3=B6nnhager?= <david.l@mullvad.net>
Date: Mon, 14 Oct 2024 17:33:31 +0200
Subject: [PATCH] Disable DNS redirect when custom DNS is set to localhost

---
 talpid-core/src/dns/mod.rs                         | 13 +++++++++++++
 talpid-core/src/firewall/macos.rs                  |  1 +
 .../src/tunnel_state_machine/connected_state.rs    | 14 +++++++++-----
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/talpid-core/src/dns/mod.rs b/talpid-core/src/dns/mod.rs
index d6fd3334498c..f803842ef97a 100644
--- a/talpid-core/src/dns/mod.rs
+++ b/talpid-core/src/dns/mod.rs
@@ -133,6 +133,19 @@ impl ResolvedDnsConfig {
     pub fn addresses(self) -> impl Iterator<Item = IpAddr> {
         self.non_tunnel_config.into_iter().chain(self.tunnel_config)
     }
+
+    /// Return whether the config contains only (and at least one) loopback addresses, and zero
+    /// non-loopback addresses
+    pub fn is_loopback(&self) -> bool {
+        let (loopback_addrs, non_loopback_addrs) = self
+            .tunnel_config
+            .iter()
+            .chain(self.non_tunnel_config.iter())
+            .copied()
+            .partition::<Vec<_>, _>(|ip| ip.is_loopback());
+
+        !loopback_addrs.is_empty() && non_loopback_addrs.is_empty()
+    }
 }
 
 /// Sets and monitors system DNS settings. Makes sure the desired DNS servers are being used.
diff --git a/talpid-core/src/firewall/macos.rs b/talpid-core/src/firewall/macos.rs
index 5f674f2935c8..0945b72292a2 100644
--- a/talpid-core/src/firewall/macos.rs
+++ b/talpid-core/src/firewall/macos.rs
@@ -198,6 +198,7 @@ impl Firewall {
         policy: &FirewallPolicy,
     ) -> Result<Vec<pfctl::RedirectRule>> {
         let redirect_rules = match policy {
+            FirewallPolicy::Connected { dns_config, .. } if dns_config.is_loopback() => vec![],
             FirewallPolicy::Blocked {
                 dns_redirect_port, ..
             }
diff --git a/talpid-core/src/tunnel_state_machine/connected_state.rs b/talpid-core/src/tunnel_state_machine/connected_state.rs
index d5eb5ac7b7c9..10d9ac9b723d 100644
--- a/talpid-core/src/tunnel_state_machine/connected_state.rs
+++ b/talpid-core/src/tunnel_state_machine/connected_state.rs
@@ -165,11 +165,15 @@ impl ConnectedState {
 
         // On macOS, configure only the local DNS resolver
         #[cfg(target_os = "macos")]
-        shared_values.runtime.block_on(
-            shared_values
-                .filtering_resolver
-                .enable_forward(dns_config.addresses().collect()),
-        );
+        if !dns_config.is_loopback() {
+            shared_values.runtime.block_on(
+                shared_values
+                    .filtering_resolver
+                    .enable_forward(dns_config.addresses().collect()),
+            );
+        } else {
+            log::debug!("Not enabling DNS forwarding since loopback is used");
+        }
 
         Ok(())
     }