Remove DNS_KEEP_NAMESERVER (always off)

2025-11-17 13:05:33 +00:00
parent 1a93a41a55
commit 40ea51a3ae
5 changed files with 14 additions and 48 deletions
--- a/1
+++ b/1
@@ -180,7 +180,6 @@ ENV VPN_SERVICE_PROVIDER=pia \
    DNS_REBINDING_PROTECTION_EXEMPT_HOSTNAMES= \
    DNS_UPDATE_PERIOD=24h \
    DNS_ADDRESS=127.0.0.1 \
-    DNS_KEEP_NAMESERVER=off \
    # HTTP proxy
    HTTPPROXY= \
    HTTPPROXY_LOG=off \
--- a/internal/configuration/settings/deprecated.go
+++ b/internal/configuration/settings/deprecated.go
@@ -16,6 +16,8 @@ func readObsolete(r *reader.Reader) (warnings []string) {
 		"HEALTH_VPN_DURATION_ADDITION": "HEALTH_VPN_DURATION_ADDITION is obsolete",
 		"DNS_SERVER":                   "DNS_SERVER is obsolete because the forwarding server is always enabled.",
 		"DOT":                          "DOT is obsolete because the forwarding server is always enabled.",
+		"DNS_KEEP_NAMESERVER": "DNS_KEEP_NAMESERVER is obsolete because the forwarding server is always used and " +
+			"forwards local names to private DNS resolvers found in /etc/resolv.conf",
 	}
 	sortedKeys := maps.Keys(keyToMessage)
 	slices.Sort(sortedKeys)
--- a/internal/configuration/settings/dns.go
+++ b/internal/configuration/settings/dns.go
@@ -38,17 +38,6 @@ type DNS struct {
 	// local server. It cannot be the zero value in the internal
 	// state.
 	ServerAddress netip.Addr
-	// KeepNameserver is true if the existing DNS server
-	// found in /etc/resolv.conf should be used
-	// Note setting this to true will likely DNS traffic
-	// outside the VPN tunnel since it would go through
-	// the local DNS server of your Docker/Kubernetes
-	// configuration, which is likely not going through the tunnel.
-	// This will also disable the DNS forwarder server and the
-	// `ServerAddress` field will be ignored.
-	// It defaults to false and cannot be nil in the
-	// internal state.
-	KeepNameserver *bool
 }

 var (
@@ -92,7 +81,6 @@ func (d *DNS) Copy() (copied DNS) {
 		IPv6:          gosettings.CopyPointer(d.IPv6),
 		Blacklist:     d.Blacklist.copy(),
 		ServerAddress: d.ServerAddress,
-		KeepNameserver: gosettings.CopyPointer(d.KeepNameserver),
 	}
 }

@@ -107,7 +95,6 @@ func (d *DNS) overrideWith(other DNS) {
 	d.IPv6 = gosettings.OverrideWithPointer(d.IPv6, other.IPv6)
 	d.Blacklist.overrideWith(other.Blacklist)
 	d.ServerAddress = gosettings.OverrideWithValidator(d.ServerAddress, other.ServerAddress)
-	d.KeepNameserver = gosettings.OverrideWithPointer(d.KeepNameserver, other.KeepNameserver)
 }

 func (d *DNS) setDefaults() {
@@ -122,7 +109,6 @@ func (d *DNS) setDefaults() {
 	d.Blacklist.setDefaults()
 	d.ServerAddress = gosettings.DefaultValidator(d.ServerAddress,
 		netip.AddrFrom4([4]byte{127, 0, 0, 1}))
-	d.KeepNameserver = gosettings.DefaultPointer(d.KeepNameserver, false)
 }

 func (d DNS) GetFirstPlaintextIPv4() (ipv4 netip.Addr) {
@@ -148,10 +134,6 @@ func (d DNS) String() string {

 func (d DNS) toLinesNode() (node *gotree.Node) {
 	node = gotree.New("DNS settings:")
-	node.Appendf("Keep existing nameserver(s): %s", gosettings.BoolToYesNo(d.KeepNameserver))
-	if *d.KeepNameserver {
-		return node
-	}
 	node.Appendf("DNS server address to use: %s", d.ServerAddress)

 	node.Appendf("Upstream resolver type: %s", d.UpstreamType)
@@ -205,10 +187,5 @@ func (d *DNS) read(r *reader.Reader) (err error) {
 		return err
 	}

-	d.KeepNameserver, err = r.BoolPtr("DNS_KEEP_NAMESERVER")
-	if err != nil {
-		return err
-	}
-
 	return nil
 }
--- a/internal/configuration/settings/settings_test.go
+++ b/internal/configuration/settings/settings_test.go
@@ -38,7 +38,6 @@ func Test_Settings_String(t *testing.T) {
 |       ├── Run OpenVPN as: root
 |       └── Verbosity level: 1
 ├── DNS settings:
-|   ├── Keep existing nameserver(s): no
 |   ├── DNS server address to use: 127.0.0.1
 |   ├── Upstream resolver type: dot
 |   ├── Upstream resolvers:
--- a/internal/dns/run.go
+++ b/internal/dns/run.go
@@ -18,14 +18,8 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 		return
 	}

-	if *l.GetSettings().KeepNameserver {
-		l.logger.Warn("⚠️⚠️⚠️  keeping the default container nameservers, " +
-			"this will likely leak DNS traffic outside the VPN " +
-			"and go through your container network DNS outside the VPN tunnel!")
-	} else {
 	const fallback = false
 	l.useUnencryptedDNS(fallback)
-	}

 	select {
 	case <-l.start:
@@ -38,8 +32,7 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 		// Their values are to be used if DOT=off
 		var runError <-chan error

-		settings := l.GetSettings()
-		for !*settings.KeepNameserver {
+		for {
 			var err error
 			runError, err = l.setupServer(ctx)
 			if err == nil {
@@ -60,14 +53,10 @@ func (l *Loop) Run(ctx context.Context, done chan<- struct{}) {
 				l.useUnencryptedDNS(fallback)
 			}
 			l.logAndWait(ctx, err)
-			settings = l.GetSettings()
 		}

-		settings = l.GetSettings()
-		if !*settings.KeepNameserver {
 		const fallback = false
 		l.useUnencryptedDNS(fallback)
-		}

 		l.userTrigger = false