Add AllowDefaultDNSResolverWithBindToDevice

MobileLibrary/iOS/PsiphonTunnel/PsiphonTunnel/PsiphonTunnel.m

@@ -823,6 +823,12 @@ + (NSString * _Nullable)buildPsiphonConfig:(id _Nonnull)configObject
     // Indicate whether UseNoticeFiles is set
     *usingNoticeFiles = (config[@"UseNoticeFiles"] != nil);
 
+    // For iOS VPN, the standard library system resolver will automatically be
+    // routed outside the VPN.
+    if (*tunnelWholeDevice) {
+        config[@"AllowDefaultDNSResolverWithBindToDevice"] = @YES;
+    }
+
     NSString *finalConfigStr = [[[SBJson4Writer alloc] init] stringWithObject:config];
 
     if (finalConfigStr == nil) {
@@ -1242,13 +1248,15 @@ - (NSString *)bindToDevice:(long)fileDescriptor error:(NSError **)error {
 }
 
 - (NSString *)getDNSServersAsString {
-    // TODO: Implement correctly
 
     if (atomic_load(&self->useInitialDNS)) {
         return self->initialDNSCache;
     } else {
-        // Alternate DNS servers will be provided by psiphon-tunnel-core
-        // config or tactics.
+        // Alternate DNS servers may be provided by psiphon-tunnel-core config
+        // or tactics, or the system default resolver may be used (Go on iOS
+        // uses the C standard library resolver via CGO, and iOS ensures
+        // those calls are routed outside of the VPN when invoked from a VPN
+        // extension).
         return @"";
     }
 }
@@ -1470,11 +1478,11 @@ - (void)internetReachabilityChanged:(NSNotification *)note {
     // bootstrapped. See comment in startInternetReachabilityMonitoring.
     @synchronized (PsiphonTunnel.self) {
         // Invalidate initialDNSCache due to limitations documented in
-        // getDNSServers.
+        // getSystemDNSServers.
         //
         // TODO: consider at least reverting to using the initialDNSCache when a
         // new network ID matches the initial network ID -- i.e., when the device
-        // is back on the initial network -- even though those DNS server _may_
+        // is back on the initial network -- even though those DNS servers _may_
         // have changed.
         atomic_store(&self->useInitialDNS, FALSE);
 

psiphon/common/resolver/resolver.go

@@ -68,6 +68,11 @@ type NetworkConfig struct {
 	// excluded from VPN routing. BindToDevice may be nil.
 	BindToDevice func(fd int) (string, error)
 
+	// AllowDefaultResolverWithBindToDevice indicates that it's safe to use
+	// the default resolver when BindToDevice is configured, as the host OS
+	// will automatically exclude DNS requests from the VPN.
+	AllowDefaultResolverWithBindToDevice bool
+
 	// IPv6Synthesize should apply NAT64 synthesis to the input IPv4 address,
 	// returning a synthesized IPv6 address that will route to the same
 	// endpoint. IPv6Synthesize may be nil.
@@ -130,7 +135,7 @@ type NetworkConfig struct {
 func (c *NetworkConfig) allowDefaultResolver() bool {
 	// When BindToDevice is configured, the standard library resolver is not
 	// used, as the system resolver may not route outside of the VPN.
-	return c.BindToDevice == nil
+	return c.BindToDevice == nil || c.AllowDefaultResolverWithBindToDevice
 }
 
 func (c *NetworkConfig) logWarning(err error) {

psiphon/config.go

@@ -283,6 +283,11 @@ type Config struct {
 	// when reporting ClientFeatures.
 	DeviceBinder DeviceBinder
 
+	// AllowDefaultDNSResolverWithBindToDevice indicates that it's safe to use
+	// the default resolver when DeviceBinder is configured, as the host OS
+	// will automatically exclude DNS requests from the VPN.
+	AllowDefaultDNSResolverWithBindToDevice bool
+
 	// IPv6Synthesizer is an interface that allows tunnel-core to call into
 	// the host application to synthesize IPv6 addresses. See: IPv6Synthesizer
 	// doc.

psiphon/net.go

@@ -342,6 +342,8 @@ func NewResolver(config *Config, useBindToDevice bool) *resolver.Resolver {
 
 	if useBindToDevice && config.DeviceBinder != nil {
 		networkConfig.BindToDevice = config.DeviceBinder.BindToDevice
+		networkConfig.AllowDefaultResolverWithBindToDevice =
+			config.AllowDefaultDNSResolverWithBindToDevice
 	}
 
 	if config.IPv6Synthesizer != nil {