DNS Management

​

Overview

• DNS requests only go to approved servers (relay or custom DNS)
• No DNS leaks outside the tunnel
• Automatic restoration of original DNS settings
• Platform-specific integration with system services

​

DNS Configuration Types

​

Default DNS

ResolvedDnsConfig {
    tunnel_config: [relay_gateway_ip],
    non_tunnel_config: [],
}

​

Custom DNS

​

Platform Selection

# Set specific method
export TALPID_DNS_MODULE=method_name

​

Windows DNS Methods

​

Available Methods

1. iphlpapi - IP Helper API (default)
2. netsh - netsh command-line tool
3. tcpip - Registry TCP/IP parameters

​

1. iphlpapi Method

TALPID_DNS_MODULE=iphlpapi

• Calls Windows API directly
• Sets DNS servers per interface
• Fastest and most reliable
• Requires Windows 10+

​

2. netsh Method

TALPID_DNS_MODULE=netsh

• Spawns netsh.exe process
• Configures via command-line
• Works on older Windows versions
• Slower than API approach

netsh interface ipv4 set dnsservers "interface" static 1.2.3.4 primary
netsh interface ipv6 set dnsservers "interface" static fd00::1 primary

​

3. tcpip Method

TALPID_DNS_MODULE=tcpip

• Modifies HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID}
• Sets NameServer and NameServer6 registry values
• Most compatible but least reliable
• Requires service restart for changes to take effect

​

DNS Flushing

​

Linux DNS Methods

​

Available Methods

1. systemd-resolved (via D-Bus)
2. NetworkManager (via D-Bus)
3. resolvconf (program)
4. static-file (/etc/resolv.conf)

​

1. systemd-resolved (Preferred)

TALPID_DNS_MODULE=systemd

• Uses D-Bus to communicate with systemd-resolved
• Calls SetLinkDNS method on interface
• Sets per-interface DNS servers
• Automatic when resolved is running

org.freedesktop.resolve1.Manager.SetLinkDNS(interface_index, servers)
org.freedesktop.resolve1.Manager.RevertLink(interface_index)

​

2. NetworkManager

TALPID_DNS_MODULE=network-manager

• Uses D-Bus to communicate with NetworkManager
• Modifies DNS configuration per connection
• Used when systemd-resolved unavailable

pub fn will_use_nm() -> bool {
    SystemdResolved::new().is_err() && NetworkManager::new().is_ok()
}

​

3. resolvconf Program

TALPID_DNS_MODULE=resolvconf

• Executes /sbin/resolvconf binary
• Writes DNS config via stdin
• Standard on Debian-based systems

echo "nameserver 1.2.3.4" | resolvconf -a interface.mullvad
resolvconf -d interface.mullvad

​

4. Static resolv.conf

TALPID_DNS_MODULE=static-file

• Backs up original /etc/resolv.conf
• Writes new file with nameserver entries
• Restores backup on reset
• Last resort when no other method works

# Generated by Mullvad VPN
nameserver 1.2.3.4
nameserver fd00::1

​

Routing Considerations

• Route manager adds routes to DNS servers
• Ensures traffic doesn’t go through tunnel
• Only for private IP ranges

​

macOS DNS Management

​

Implementation

impl DnsMonitor {
    fn set(&mut self, interface: &str, config: ResolvedDnsConfig)
}

1. Set DNS via SCDynamicStoreSetValue
2. Configure per interface using State:/Network/Service/{service}/DNS
3. Set search domains (if applicable)
4. Priority ordering ensures tunnel interface used first

​

Local DNS Resolver

• Forwards queries to configured upstream servers
• Can be disabled: TALPID_DISABLE_LOCAL_DNS_RESOLVER=1
• May cache AAAA queries aggressively

• App filters AAAA queries when IPv6 disabled
• Prevents IPv6 DNS leaks
• Force disable: TALPID_NEVER_FILTER_AAAA_QUERIES=1

​

System Configuration Keys

State:/Network/Service/{service_id}/DNS
├── ServerAddresses: [1.2.3.4, ...]
├── SearchDomains: []
└── SupplementalMatchDomains: []

​

Android DNS Management

​

Implementation

VpnService.Builder.addDnsServer(InetAddress)

• Sets DNS servers for VPN interface
• System routes DNS through VPN automatically
• No direct DNS configuration needed
• Exempt traffic (connectivity checks) bypasses DNS settings

​

Split Tunneling

• Not routed through VPN
• Use DHCP or manually configured DNS
• Behave as if VPN disconnected

​

iOS DNS Management

​

Implementation

NETunnelProviderProtocol.dnsSettings = NEDNSSettings(servers: [...])

• Sets DNS servers for tunnel
• System enforces DNS routing
• Cannot be bypassed by apps
• Local network DNS accessible

​

DNS in Firewall States

​

Disconnected State

• Uses system default DNS (ISP or DHCP)
• No restrictions applied

• All DNS blocked
• Behaves like Error state

​

Connecting State

• All DNS blocked via firewall
• Exception: relay endpoint (if on port 53)
• Prevents leaks during setup

​

Connected State

• DNS to relay server only
• Blocked on non-tunnel interfaces

• DNS to specified servers through tunnel
• All other DNS blocked

• DNS to private IPs on non-tunnel interfaces
• Example: 192.168.1.1 for local DNS

​

Error State

• All DNS blocked
• API access exception (for daemon)
• Prevents all leaks

​

DNS Configuration Flow

​

Setting DNS

1. Daemon receives tunnel config
2. Resolves DNS config (default or custom)
3. DnsMonitor applies platform-specific method
4. Firewall rules enforce DNS restrictions
5. Monitors for external changes (platform-dependent)

​

Restoring DNS

1. Daemon receives disconnect request
2. Firewall rules removed
3. DnsMonitor restores original settings
4. System DNS behavior returns to normal

​

Implementation Details

​

DnsMonitor Interface

pub trait DnsMonitorT {
    fn new() -> Result<Self, Self::Error>;
    fn set(&mut self, interface: &str, config: ResolvedDnsConfig) -> Result<(), Self::Error>;
    fn reset(&mut self) -> Result<(), Self::Error>;
    fn reset_before_interface_removal(&mut self) -> Result<(), Self::Error>;
}

​

State Management

let mut dns_monitor = DnsMonitor::new()?;

let config = DnsConfig::from_addresses(
    &[tunnel_dns],     // Through tunnel
    &[non_tunnel_dns]  // Outside tunnel (private IPs)
);
let resolved = config.resolve(&default_gateway);
dns_monitor.set(interface, resolved)?;

// Before removing interface
dns_monitor.reset_before_interface_removal()?;

// Or after interface removed  
dns_monitor.reset()?;

​

Environment Variables

​

All Platforms

# Force specific DNS method
TALPID_DNS_MODULE=method_name

​

macOS Only

# Disable local DNS proxy
TALPID_DISABLE_LOCAL_DNS_RESOLVER=1

# Never filter AAAA queries
TALPID_NEVER_FILTER_AAAA_QUERIES=1

​

Common Issues

​

systemd-resolved Conflicts

# Check resolved status
systemctl status systemd-resolved

# Force specific method if needed
export TALPID_DNS_MODULE=resolvconf

​

DNS Cache Stale Entries

• Windows: Automatically flushed via DnsFlushResolverCache
• Linux: systemd-resolved clears cache
• macOS: dscacheutil -flushcache

​

Private DNS Routing

• Enable “Allow LAN” setting
• Ensures traffic to private IPs allowed
• Routing manager adds necessary routes

​

Security Considerations

​

DNS Leak Prevention

1. DNS configuration - Only allows approved servers
2. Firewall rules - Blocks port 53 to other destinations
3. Routing - Ensures DNS traffic uses correct interface
4. Monitoring - Detects and corrects external changes

​

DNS in Split Tunneling

• DNS requests from all processes use tunnel
• Cannot be excluded per-process
• System DNS service not excluded

• Excluded apps use system DNS
• Requests bypass VPN entirely
• Behave as if VPN disconnected