From 93cc5a4b2c7167d64290fbe448ed5e78033dbff2 Mon Sep 17 00:00:00 2001 From: Quentin McGaw Date: Mon, 29 Jun 2026 05:15:41 +0000 Subject: [PATCH] chore(dns): deprecate `BLOCK_SURVEILLANCE` --- Dockerfile | 1 - README.md | 2 +- internal/configuration/settings/deprecated.go | 1 + internal/configuration/settings/dnsblacklist.go | 12 ------------ internal/configuration/settings/settings_test.go | 3 +-- 5 files changed, 3 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3b7d68e8..d7a7a316 100644 --- a/Dockerfile +++ b/Dockerfile @@ -218,7 +218,6 @@ ENV VPN_SERVICE_PROVIDER=pia \ DNS_CACHING=on \ DNS_UPSTREAM_IPV6=off \ BLOCK_MALICIOUS=on \ - BLOCK_SURVEILLANCE=off \ BLOCK_ADS=off \ DNS_UNBLOCK_HOSTNAMES= \ DNS_REBINDING_PROTECTION_EXEMPT_HOSTNAMES= \ diff --git a/README.md b/README.md index 8e446faa..37d29627 100644 --- a/README.md +++ b/README.md @@ -69,7 +69,7 @@ Lightweight swiss-army-knife-like VPN client to multiple VPN service providers - More in progress, see [#134](https://github.com/passteque/gluetun/issues/134) - Supports AmneziaWG only with the custom provider for now - DNS over TLS baked in with service provider(s) of your choice -- DNS fine blocking of malicious/ads/surveillance hostnames and IP addresses, with live update every 24 hours +- DNS fine blocking of malicious/ads hostnames and IP addresses, with live update every 24 hours - Choose the vpn network protocol, `udp` or `tcp` - Built in firewall kill switch to allow traffic only with needed the VPN servers and LAN devices - Built in Shadowsocks proxy server (protocol based on SOCKS5 with an encryption layer, tunnels TCP+UDP) diff --git a/internal/configuration/settings/deprecated.go b/internal/configuration/settings/deprecated.go index f029018f..0317f498 100644 --- a/internal/configuration/settings/deprecated.go +++ b/internal/configuration/settings/deprecated.go @@ -16,6 +16,7 @@ func readObsolete(r *reader.Reader) (warnings []string) { "HEALTH_VPN_DURATION_ADDITION": "HEALTH_VPN_DURATION_ADDITION is obsolete", "DNS_KEEP_NAMESERVER": "DNS_KEEP_NAMESERVER is obsolete because you should use the built-in server which now " + "forwards local names to private DNS resolvers found in /etc/resolv.conf at container start", + "BLOCK_SURVEILLANCE": "BLOCK_SURVEILLANCE is obsolete because its DNS block lists are not longer maintained", } sortedKeys := slices.Collect(maps.Keys(keyToMessage)) slices.Sort(sortedKeys) diff --git a/internal/configuration/settings/dnsblacklist.go b/internal/configuration/settings/dnsblacklist.go index c15704e8..91034c07 100644 --- a/internal/configuration/settings/dnsblacklist.go +++ b/internal/configuration/settings/dnsblacklist.go @@ -16,7 +16,6 @@ import ( type DNSBlacklist struct { BlockMalicious *bool BlockAds *bool - BlockSurveillance *bool AllowedHosts []string AddBlockedHosts []string AddBlockedIPs []netip.Addr @@ -31,7 +30,6 @@ type DNSBlacklist struct { func (b *DNSBlacklist) setDefaults() { b.BlockMalicious = gosettings.DefaultPointer(b.BlockMalicious, true) b.BlockAds = gosettings.DefaultPointer(b.BlockAds, false) - b.BlockSurveillance = gosettings.DefaultPointer(b.BlockSurveillance, true) } var hostRegex = regexp.MustCompile(`^([a-zA-Z0-9]|[a-zA-Z0-9_][a-zA-Z0-9\-_]{0,61}[a-zA-Z0-9_])(\.([a-zA-Z0-9]|[a-zA-Z0-9_][a-zA-Z0-9\-_]{0,61}[a-zA-Z0-9]))*$`) //nolint:lll @@ -65,7 +63,6 @@ func (b DNSBlacklist) copy() (copied DNSBlacklist) { return DNSBlacklist{ BlockMalicious: gosettings.CopyPointer(b.BlockMalicious), BlockAds: gosettings.CopyPointer(b.BlockAds), - BlockSurveillance: gosettings.CopyPointer(b.BlockSurveillance), AllowedHosts: gosettings.CopySlice(b.AllowedHosts), AddBlockedHosts: gosettings.CopySlice(b.AddBlockedHosts), AddBlockedIPs: gosettings.CopySlice(b.AddBlockedIPs), @@ -77,7 +74,6 @@ func (b DNSBlacklist) copy() (copied DNSBlacklist) { func (b *DNSBlacklist) overrideWith(other DNSBlacklist) { b.BlockMalicious = gosettings.OverrideWithPointer(b.BlockMalicious, other.BlockMalicious) b.BlockAds = gosettings.OverrideWithPointer(b.BlockAds, other.BlockAds) - b.BlockSurveillance = gosettings.OverrideWithPointer(b.BlockSurveillance, other.BlockSurveillance) b.AllowedHosts = gosettings.OverrideWithSlice(b.AllowedHosts, other.AllowedHosts) b.AddBlockedHosts = gosettings.OverrideWithSlice(b.AddBlockedHosts, other.AddBlockedHosts) b.AddBlockedIPs = gosettings.OverrideWithSlice(b.AddBlockedIPs, other.AddBlockedIPs) @@ -93,7 +89,6 @@ func (b DNSBlacklist) ToBlockBuilderSettings(client *http.Client) ( Client: client, BlockMalicious: b.BlockMalicious, BlockAds: b.BlockAds, - BlockSurveillance: b.BlockSurveillance, AllowedHosts: b.AllowedHosts, AddBlockedHosts: b.AddBlockedHosts, AddBlockedIPs: b.AddBlockedIPs, @@ -110,7 +105,6 @@ func (b DNSBlacklist) toLinesNode() (node *gotree.Node) { node.Appendf("Block malicious: %s", gosettings.BoolToYesNo(b.BlockMalicious)) node.Appendf("Block ads: %s", gosettings.BoolToYesNo(b.BlockAds)) - node.Appendf("Block surveillance: %s", gosettings.BoolToYesNo(b.BlockSurveillance)) if len(b.AllowedHosts) > 0 { allowedHostsNode := node.Append("Allowed hosts:") @@ -156,12 +150,6 @@ func (b *DNSBlacklist) read(r *reader.Reader) (err error) { return err } - b.BlockSurveillance, err = r.BoolPtr("BLOCK_SURVEILLANCE", - reader.RetroKeys("BLOCK_NSA")) - if err != nil { - return err - } - b.BlockAds, err = r.BoolPtr("BLOCK_ADS") if err != nil { return err diff --git a/internal/configuration/settings/settings_test.go b/internal/configuration/settings/settings_test.go index 96ea4358..6adffdac 100644 --- a/internal/configuration/settings/settings_test.go +++ b/internal/configuration/settings/settings_test.go @@ -59,8 +59,7 @@ func Test_Settings_String(t *testing.T) { | ├── Update period: every 24h0m0s | └── DNS filtering settings: | ├── Block malicious: yes -| ├── Block ads: no -| └── Block surveillance: yes +| └── Block ads: no ├── Firewall settings: | ├── Enabled: yes | └── Iptables settings: