Add Windows DNS firewall to block DNS leaks from non-netbird processes

2026-05-20 07:39:56 +00:00 · 2026-05-05 18:11:06 +02:00
parent 1795bc801d
commit 4810e79a00
14 changed files with 1524 additions and 7 deletions
--- a/client/internal/dns/host_windows.go
+++ b/client/internal/dns/host_windows.go
@@ -16,6 +16,7 @@ import (
 	"golang.org/x/sys/windows/registry"

 	nberrors "github.com/netbirdio/netbird/client/errors"
+	"github.com/netbirdio/netbird/client/internal/dns/dnsfw"
 	"github.com/netbirdio/netbird/client/internal/statemanager"
 	"github.com/netbirdio/netbird/client/internal/winregistry"
 )
@@ -71,6 +72,7 @@ type registryConfigurator struct {
 	routingAll     bool
 	gpo            bool
 	nrptEntryCount int
+	dnsFirewall    dnsfw.Manager
 }

 func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
@@ -90,8 +92,9 @@ func newHostManager(wgInterface WGIface) (*registryConfigurator, error) {
 	}

 	configurator := &registryConfigurator{
-		guid: guid,
-		gpo:  useGPO,
+		guid:        guid,
+		gpo:         useGPO,
+		dnsFirewall: dnsfw.New(),
 	}

 	if err := configurator.configureInterface(); err != nil {
@@ -170,15 +173,23 @@ func (r *registryConfigurator) disableWINSForInterface() error {

 func (r *registryConfigurator) applyDNSConfig(config HostDNSConfig, stateManager *statemanager.Manager) error {
 	if config.RouteAll {
+		if err := r.dnsFirewall.Enable(r.guid, config.ServerIP); err != nil {
+			return fmt.Errorf("dns firewall: %w", err)
+		}
 		if err := r.addDNSSetupForAll(config.ServerIP); err != nil {
 			return fmt.Errorf("add dns setup: %w", err)
 		}
-	} else if r.routingAll {
-		if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
-			return fmt.Errorf("delete interface registry key property: %w", err)
+	} else {
+		if err := r.dnsFirewall.Disable(); err != nil {
+			log.Errorf("disable dns firewall: %v", err)
+		}
+		if r.routingAll {
+			if err := r.deleteInterfaceRegistryKeyProperty(interfaceConfigNameServerKey); err != nil {
+				return fmt.Errorf("delete interface registry key property: %w", err)
+			}
+			r.routingAll = false
+			log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
 		}
-		r.routingAll = false
-		log.Infof("removed %s as main DNS forwarder for this peer", config.ServerIP)
 	}

 	r.updateState(stateManager)
@@ -406,6 +417,10 @@ func (r *registryConfigurator) restoreHostDNS() error {
 		return fmt.Errorf("remove interface registry key: %w", err)
 	}

+	if err := r.dnsFirewall.Disable(); err != nil {
+		log.Errorf("disable dns firewall: %v", err)
+	}
+
 	go r.flushDNSCache()

 	return nil