Launch DNS over TLS after tunneling

- No data is downloaded before tunneling - Fixes #127
2020-05-02 13:11:41 +00:00
parent 8e77842f1e
commit bc05ff34fd
2 changed files with 28 additions and 26 deletions
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -133,29 +133,6 @@ func main() { //nolint:gocognit
 	}()

 	waiter := command.NewWaiter()
-	if allSettings.DNS.Enabled {
-		initialDNSToUse := constants.DNSProviderMapping()[allSettings.DNS.Providers[0]]
-		dnsConf.UseDNSInternally(initialDNSToUse.IPs[0])
-		err = dnsConf.DownloadRootHints(allSettings.System.UID, allSettings.System.GID)
-		e.FatalOnError(err)
-		err = dnsConf.DownloadRootKey(allSettings.System.UID, allSettings.System.GID)
-		e.FatalOnError(err)
-		err = dnsConf.MakeUnboundConf(allSettings.DNS, allSettings.System.UID, allSettings.System.GID)
-		e.FatalOnError(err)
-		stream, waitFn, err := dnsConf.Start(ctx, allSettings.DNS.VerbosityDetailsLevel)
-		e.FatalOnError(err)
-		waiter.Add(func() error {
-			err := waitFn()
-			logger.Error("unbound: %s", err)
-			return err
-		})
-		go streamMerger.Merge(ctx, stream, command.MergeName("unbound"), command.MergeColor(constants.ColorUnbound()))
-		dnsConf.UseDNSInternally(net.IP{127, 0, 0, 1})       // use Unbound
-		err = dnsConf.UseDNSSystemWide(net.IP{127, 0, 0, 1}) // use Unbound
-		e.FatalOnError(err)
-		err = dnsConf.WaitForUnbound()
-		e.FatalOnError(err)
-	}

 	var connections []models.OpenVPNConnection
 	switch allSettings.VPNSP {
@@ -304,6 +281,31 @@ func main() { //nolint:gocognit
 	go func() {
 		<-connected.Done() // blocks until openvpn is connected

+		if allSettings.DNS.Enabled {
+			initialDNSToUse := constants.DNSProviderMapping()[allSettings.DNS.Providers[0]]
+			dnsConf.UseDNSInternally(initialDNSToUse.IPs[0])
+			err = dnsConf.DownloadRootHints(allSettings.System.UID, allSettings.System.GID)
+			e.FatalOnError(err)
+			err = dnsConf.DownloadRootKey(allSettings.System.UID, allSettings.System.GID)
+			e.FatalOnError(err)
+			err = dnsConf.MakeUnboundConf(allSettings.DNS, allSettings.System.UID, allSettings.System.GID)
+			e.FatalOnError(err)
+			stream, waitFn, err := dnsConf.Start(ctx, allSettings.DNS.VerbosityDetailsLevel)
+			e.FatalOnError(err)
+			waiter.Add(func() error {
+				err := waitFn()
+				logger.Error("unbound: %s", err)
+				return err
+			})
+			go streamMerger.Merge(ctx, stream, command.MergeName("unbound"), command.MergeColor(constants.ColorUnbound()))
+			dnsConf.UseDNSInternally(net.IP{127, 0, 0, 1})       // use Unbound
+			err = dnsConf.UseDNSSystemWide(net.IP{127, 0, 0, 1}) // use Unbound
+			e.FatalOnError(err)
+			err = dnsConf.WaitForUnbound()
+			e.FatalOnError(err)
+			logger.Info("DNS over TLS with Unbound setup completed")
+		}
+
 		ip, err := routingConf.CurrentPublicIP(defaultInterface)
 		if err != nil {
 			logger.Error(err)
--- a/doc/faq.md
+++ b/doc/faq.md
@@ -4,7 +4,7 @@

 - [Openvpn disconnects because of a ping timeout](#Openvpn-disconnects-because-of-a-ping-timeout)
 - [Private Internet Access: Why do I see openvpn warnings at start](#Private-Internet-Access:-Why-do-I-see-openvpn-warnings-at-start)
- [What files does it download at start before tunneling](#What-files-does-it-download-at-start-before-tunneling)
+- [What files does it download after tunneling](#What-files-does-it-download-after-tunneling)
 - [How to build Docker images of older or alternate versions](#How-to-build-Docker-images-of-older-or-alternate-versions)
 - [Mullvad does not work with IPv6](#Mullvad-does-not-work-with-IPv6)
 - [What's all this Go code](#What-is-all-this-Go-code)
@@ -54,9 +54,9 @@ It is mainly because the option [disable-occ](https://openvpn.net/community-reso

 Private Internet Access explains [here why](https://www.privateinternetaccess.com/helpdesk/kb/articles/why-do-i-get-cipher-auth-warnings-when-i-connect) the warnings show up.

-## What files does it download at start before tunneling
+## What files does it download after tunneling

-At start, the Go entrypoint only downloads, depending on your settings:
+At start, after tunneling, the Go entrypoint only downloads, depending on your settings:

 - If `DOT=on`: [DNS over TLS named root](https://github.com/qdm12/files/blob/master/named.root.updated) for Unbound
 - If `DOT=on`: [DNS over TLS root key](https://github.com/qdm12/files/blob/master/root.key.updated) for Unbound