@@ -1223,13 +1223,14 @@ win_wfp_block_dns (const NET_IFINDEX index)

     /* Prepare filter. */

     Filter.subLayerKey = SubLayer.subLayerKey;

     Filter.displayData.name = FIREWALL_NAME;

-    Filter.weight.type = FWP_EMPTY;

+    Filter.weight.type = FWP_UINT8;

+    Filter.weight.uint8 = 0xF;

     Filter.filterCondition = Condition;

     Filter.numFilterConditions = 2;

-    /* First filter. Block IPv4 DNS queries except from OpenVPN itself. */

+    /* First filter. Permit IPv4 DNS queries from OpenVPN itself. */

     Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;

-    Filter.action.type = FWP_ACTION_BLOCK;

+    Filter.action.type = FWP_ACTION_PERMIT;

     Condition[0].fieldKey = FWPM_CONDITION_IP_REMOTE_PORT;

     Condition[0].matchType = FWP_MATCH_EQUAL;

@@ -1237,26 +1238,44 @@ win_wfp_block_dns (const NET_IFINDEX index)

     Condition[0].conditionValue.uint16 = 53;

     Condition[1].fieldKey = FWPM_CONDITION_ALE_APP_ID;

-    Condition[1].matchType = FWP_MATCH_NOT_EQUAL;

+    Condition[1].matchType = FWP_MATCH_EQUAL;

     Condition[1].conditionValue.type = FWP_BYTE_BLOB_TYPE;

     Condition[1].conditionValue.byteBlob = openvpnblob;

     /* Add filter condition to our interface. */

     if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))

         goto err;

-    dmsg (D_LOW, "Filter (Block IPv4 DNS) added with ID=%I64d", filterid);

+    dmsg (D_LOW, "Filter (Permit OpenVPN IPv4 DNS) added with ID=%I64d", filterid);

-    /* Second filter. Block IPv6 DNS queries except from OpenVPN itself. */

+    /* Second filter. Permit IPv6 DNS queries from OpenVPN itself. */

     Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;

     /* Add filter condition to our interface. */

     if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))

         goto err;

+    dmsg (D_LOW, "Filter (Permit OpenVPN IPv6 DNS) added with ID=%I64d", filterid);

+

+    /* Third filter. Block all IPv4 DNS queries. */

+    Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;

+    Filter.action.type = FWP_ACTION_BLOCK;

+    Filter.weight.type = FWP_EMPTY;

+    Filter.numFilterConditions = 1;

+

+    if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))

+        goto err;

+    dmsg (D_LOW, "Filter (Block IPv4 DNS) added with ID=%I64d", filterid);

+

+    /* Forth filter. Block all IPv6 DNS queries. */

+    Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;

+

+    if (!win_wfp_add_filter(m_hEngineHandle, &Filter, NULL, &filterid))

+        goto err;

     dmsg (D_LOW, "Filter (Block IPv6 DNS) added with ID=%I64d", filterid);

-    /* Third filter. Permit IPv4 DNS queries from TAP. */

+    /* Fifth filter. Permit IPv4 DNS queries from TAP. */

     Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V4;

     Filter.action.type = FWP_ACTION_PERMIT;

+    Filter.numFilterConditions = 2;

     Condition[1].fieldKey = FWPM_CONDITION_IP_LOCAL_INTERFACE;

     Condition[1].matchType = FWP_MATCH_EQUAL;

@@ -1268,7 +1287,7 @@ win_wfp_block_dns (const NET_IFINDEX index)

         goto err;

     dmsg (D_LOW, "Filter (Permit IPv4 DNS queries from TAP) added with ID=%I64d", filterid);

-    /* Forth filter. Permit IPv6 DNS queries from TAP. */

+    /* Sixth filter. Permit IPv6 DNS queries from TAP. */

     Filter.layerKey = FWPM_LAYER_ALE_AUTH_CONNECT_V6;

     /* Add filter condition to our interface. */