From 40ea51a3aef208897cdcf7cf06dbda1bbe767a86 Mon Sep 17 00:00:00 2001 From: Quentin McGaw Date: Mon, 17 Nov 2025 13:05:33 +0000 Subject: [PATCH] Remove `DNS_KEEP_NAMESERVER` (always off) --- Dockerfile | 1 - internal/configuration/settings/deprecated.go | 2 + internal/configuration/settings/dns.go | 37 ++++--------------- .../configuration/settings/settings_test.go | 1 - internal/dns/run.go | 21 +++-------- 5 files changed, 14 insertions(+), 48 deletions(-) diff --git a/Dockerfile b/Dockerfile index d89441b0..080f2563 100644 --- a/Dockerfile +++ b/Dockerfile @@ -180,7 +180,6 @@ ENV VPN_SERVICE_PROVIDER=pia \ DNS_REBINDING_PROTECTION_EXEMPT_HOSTNAMES= \ DNS_UPDATE_PERIOD=24h \ DNS_ADDRESS=127.0.0.1 \ - DNS_KEEP_NAMESERVER=off \ # HTTP proxy HTTPPROXY= \ HTTPPROXY_LOG=off \ diff --git a/internal/configuration/settings/deprecated.go b/internal/configuration/settings/deprecated.go index f80d5969..5da27053 100644 --- a/internal/configuration/settings/deprecated.go +++ b/internal/configuration/settings/deprecated.go @@ -16,6 +16,8 @@ func readObsolete(r *reader.Reader) (warnings []string) { "HEALTH_VPN_DURATION_ADDITION": "HEALTH_VPN_DURATION_ADDITION is obsolete", "DNS_SERVER": "DNS_SERVER is obsolete because the forwarding server is always enabled.", "DOT": "DOT is obsolete because the forwarding server is always enabled.", + "DNS_KEEP_NAMESERVER": "DNS_KEEP_NAMESERVER is obsolete because the forwarding server is always used and " + + "forwards local names to private DNS resolvers found in /etc/resolv.conf", } sortedKeys := maps.Keys(keyToMessage) slices.Sort(sortedKeys) diff --git a/internal/configuration/settings/dns.go b/internal/configuration/settings/dns.go index dcaaf42e..d0c33a0e 100644 --- a/internal/configuration/settings/dns.go +++ b/internal/configuration/settings/dns.go @@ -38,17 +38,6 @@ type DNS struct { // local server. It cannot be the zero value in the internal // state. ServerAddress netip.Addr - // KeepNameserver is true if the existing DNS server - // found in /etc/resolv.conf should be used - // Note setting this to true will likely DNS traffic - // outside the VPN tunnel since it would go through - // the local DNS server of your Docker/Kubernetes - // configuration, which is likely not going through the tunnel. - // This will also disable the DNS forwarder server and the - // `ServerAddress` field will be ignored. - // It defaults to false and cannot be nil in the - // internal state. - KeepNameserver *bool } var ( @@ -85,14 +74,13 @@ func (d DNS) validate() (err error) { func (d *DNS) Copy() (copied DNS) { return DNS{ - UpstreamType: d.UpstreamType, - UpdatePeriod: gosettings.CopyPointer(d.UpdatePeriod), - Providers: gosettings.CopySlice(d.Providers), - Caching: gosettings.CopyPointer(d.Caching), - IPv6: gosettings.CopyPointer(d.IPv6), - Blacklist: d.Blacklist.copy(), - ServerAddress: d.ServerAddress, - KeepNameserver: gosettings.CopyPointer(d.KeepNameserver), + UpstreamType: d.UpstreamType, + UpdatePeriod: gosettings.CopyPointer(d.UpdatePeriod), + Providers: gosettings.CopySlice(d.Providers), + Caching: gosettings.CopyPointer(d.Caching), + IPv6: gosettings.CopyPointer(d.IPv6), + Blacklist: d.Blacklist.copy(), + ServerAddress: d.ServerAddress, } } @@ -107,7 +95,6 @@ func (d *DNS) overrideWith(other DNS) { d.IPv6 = gosettings.OverrideWithPointer(d.IPv6, other.IPv6) d.Blacklist.overrideWith(other.Blacklist) d.ServerAddress = gosettings.OverrideWithValidator(d.ServerAddress, other.ServerAddress) - d.KeepNameserver = gosettings.OverrideWithPointer(d.KeepNameserver, other.KeepNameserver) } func (d *DNS) setDefaults() { @@ -122,7 +109,6 @@ func (d *DNS) setDefaults() { d.Blacklist.setDefaults() d.ServerAddress = gosettings.DefaultValidator(d.ServerAddress, netip.AddrFrom4([4]byte{127, 0, 0, 1})) - d.KeepNameserver = gosettings.DefaultPointer(d.KeepNameserver, false) } func (d DNS) GetFirstPlaintextIPv4() (ipv4 netip.Addr) { @@ -148,10 +134,6 @@ func (d DNS) String() string { func (d DNS) toLinesNode() (node *gotree.Node) { node = gotree.New("DNS settings:") - node.Appendf("Keep existing nameserver(s): %s", gosettings.BoolToYesNo(d.KeepNameserver)) - if *d.KeepNameserver { - return node - } node.Appendf("DNS server address to use: %s", d.ServerAddress) node.Appendf("Upstream resolver type: %s", d.UpstreamType) @@ -205,10 +187,5 @@ func (d *DNS) read(r *reader.Reader) (err error) { return err } - d.KeepNameserver, err = r.BoolPtr("DNS_KEEP_NAMESERVER") - if err != nil { - return err - } - return nil } diff --git a/internal/configuration/settings/settings_test.go b/internal/configuration/settings/settings_test.go index aac8d1f8..73413409 100644 --- a/internal/configuration/settings/settings_test.go +++ b/internal/configuration/settings/settings_test.go @@ -38,7 +38,6 @@ func Test_Settings_String(t *testing.T) { | ├── Run OpenVPN as: root | └── Verbosity level: 1 ├── DNS settings: -| ├── Keep existing nameserver(s): no | ├── DNS server address to use: 127.0.0.1 | ├── Upstream resolver type: dot | ├── Upstream resolvers: diff --git a/internal/dns/run.go b/internal/dns/run.go index 7aba1feb..5a73e352 100644 --- a/internal/dns/run.go +++ b/internal/dns/run.go @@ -18,14 +18,8 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) { return } - if *l.GetSettings().KeepNameserver { - l.logger.Warn("⚠️⚠️⚠️ keeping the default container nameservers, " + - "this will likely leak DNS traffic outside the VPN " + - "and go through your container network DNS outside the VPN tunnel!") - } else { - const fallback = false - l.useUnencryptedDNS(fallback) - } + const fallback = false + l.useUnencryptedDNS(fallback) select { case <-l.start: @@ -38,8 +32,7 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) { // Their values are to be used if DOT=off var runError <-chan error - settings := l.GetSettings() - for !*settings.KeepNameserver { + for { var err error runError, err = l.setupServer(ctx) if err == nil { @@ -60,14 +53,10 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) { l.useUnencryptedDNS(fallback) } l.logAndWait(ctx, err) - settings = l.GetSettings() } - settings = l.GetSettings() - if !*settings.KeepNameserver { - const fallback = false - l.useUnencryptedDNS(fallback) - } + const fallback = false + l.useUnencryptedDNS(fallback) l.userTrigger = false