From bc05ff34fdabd2f2f65804139dda1120d76ff603 Mon Sep 17 00:00:00 2001
From: Quentin McGaw <quentin.mcgaw@gmail.com>
Date: Sat, 2 May 2020 13:11:41 +0000
Subject: [PATCH] Launch DNS over TLS after tunneling - No data is downloaded
 before tunneling - Fixes #127

---
 cmd/main.go | 48 +++++++++++++++++++++++++-----------------------
 doc/faq.md  |  6 +++---
 2 files changed, 28 insertions(+), 26 deletions(-)

diff --git a/cmd/main.go b/cmd/main.go
index 0147203b..d71e7a4f 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -133,29 +133,6 @@ func main() { //nolint:gocognit
 	}()
 
 	waiter := command.NewWaiter()
-	if allSettings.DNS.Enabled {
-		initialDNSToUse := constants.DNSProviderMapping()[allSettings.DNS.Providers[0]]
-		dnsConf.UseDNSInternally(initialDNSToUse.IPs[0])
-		err = dnsConf.DownloadRootHints(allSettings.System.UID, allSettings.System.GID)
-		e.FatalOnError(err)
-		err = dnsConf.DownloadRootKey(allSettings.System.UID, allSettings.System.GID)
-		e.FatalOnError(err)
-		err = dnsConf.MakeUnboundConf(allSettings.DNS, allSettings.System.UID, allSettings.System.GID)
-		e.FatalOnError(err)
-		stream, waitFn, err := dnsConf.Start(ctx, allSettings.DNS.VerbosityDetailsLevel)
-		e.FatalOnError(err)
-		waiter.Add(func() error {
-			err := waitFn()
-			logger.Error("unbound: %s", err)
-			return err
-		})
-		go streamMerger.Merge(ctx, stream, command.MergeName("unbound"), command.MergeColor(constants.ColorUnbound()))
-		dnsConf.UseDNSInternally(net.IP{127, 0, 0, 1})       // use Unbound
-		err = dnsConf.UseDNSSystemWide(net.IP{127, 0, 0, 1}) // use Unbound
-		e.FatalOnError(err)
-		err = dnsConf.WaitForUnbound()
-		e.FatalOnError(err)
-	}
 
 	var connections []models.OpenVPNConnection
 	switch allSettings.VPNSP {
@@ -304,6 +281,31 @@ func main() { //nolint:gocognit
 	go func() {
 		<-connected.Done() // blocks until openvpn is connected
 
+		if allSettings.DNS.Enabled {
+			initialDNSToUse := constants.DNSProviderMapping()[allSettings.DNS.Providers[0]]
+			dnsConf.UseDNSInternally(initialDNSToUse.IPs[0])
+			err = dnsConf.DownloadRootHints(allSettings.System.UID, allSettings.System.GID)
+			e.FatalOnError(err)
+			err = dnsConf.DownloadRootKey(allSettings.System.UID, allSettings.System.GID)
+			e.FatalOnError(err)
+			err = dnsConf.MakeUnboundConf(allSettings.DNS, allSettings.System.UID, allSettings.System.GID)
+			e.FatalOnError(err)
+			stream, waitFn, err := dnsConf.Start(ctx, allSettings.DNS.VerbosityDetailsLevel)
+			e.FatalOnError(err)
+			waiter.Add(func() error {
+				err := waitFn()
+				logger.Error("unbound: %s", err)
+				return err
+			})
+			go streamMerger.Merge(ctx, stream, command.MergeName("unbound"), command.MergeColor(constants.ColorUnbound()))
+			dnsConf.UseDNSInternally(net.IP{127, 0, 0, 1})       // use Unbound
+			err = dnsConf.UseDNSSystemWide(net.IP{127, 0, 0, 1}) // use Unbound
+			e.FatalOnError(err)
+			err = dnsConf.WaitForUnbound()
+			e.FatalOnError(err)
+			logger.Info("DNS over TLS with Unbound setup completed")
+		}
+
 		ip, err := routingConf.CurrentPublicIP(defaultInterface)
 		if err != nil {
 			logger.Error(err)
diff --git a/doc/faq.md b/doc/faq.md
index bd2fcfe3..593401b3 100644
--- a/doc/faq.md
+++ b/doc/faq.md
@@ -4,7 +4,7 @@
 
 - [Openvpn disconnects because of a ping timeout](#Openvpn-disconnects-because-of-a-ping-timeout)
 - [Private Internet Access: Why do I see openvpn warnings at start](#Private-Internet-Access:-Why-do-I-see-openvpn-warnings-at-start)
-- [What files does it download at start before tunneling](#What-files-does-it-download-at-start-before-tunneling)
+- [What files does it download after tunneling](#What-files-does-it-download-after-tunneling)
 - [How to build Docker images of older or alternate versions](#How-to-build-Docker-images-of-older-or-alternate-versions)
 - [Mullvad does not work with IPv6](#Mullvad-does-not-work-with-IPv6)
 - [What's all this Go code](#What-is-all-this-Go-code)
@@ -54,9 +54,9 @@ It is mainly because the option [disable-occ](https://openvpn.net/community-reso
 
 Private Internet Access explains [here why](https://www.privateinternetaccess.com/helpdesk/kb/articles/why-do-i-get-cipher-auth-warnings-when-i-connect) the warnings show up.
 
-## What files does it download at start before tunneling
+## What files does it download after tunneling
 
-At start, the Go entrypoint only downloads, depending on your settings:
+At start, after tunneling, the Go entrypoint only downloads, depending on your settings:
 
 - If `DOT=on`: [DNS over TLS named root](https://github.com/qdm12/files/blob/master/named.root.updated) for Unbound
 - If `DOT=on`: [DNS over TLS root key](https://github.com/qdm12/files/blob/master/root.key.updated) for Unbound