In what order are DNS servers queried? I can set DNS servers in several ways: Wi-Fi/Cellular network interface via DHCP / manual entry in settings. Using NEDNSSettingsManager. Via DNSSettings in NEPacketTunnelNetworkSettings. Plus, on top of that, the user can have iCloud Relay enabled. Which DNS servers are used and when? Does NEDNSSettingsManager take precedence over iCloud Relay? Does it depend on the DNS protocol (Do53/DoH/DoT) set in NEDNSSettingsManager?

When the PAC is processed (specifically findProxyForURL() is run) - what is the best way to debug that? Some browsers provide ways to understand what is happening inside that function (ie. through alert() you can show values of specific variables as they are set during execution). Is there a way to debug the PAC processing on iOS? For instance by logging some user-controlled output to the console?

Hey! before we start sending data to NWUDPSession in our Network Extension, we're currently checking for a joined condition of: (status == .ready && isViable) and sometimes we see that the session gets stuck with status being ready, but isViable being false. Is it enough to just rely on the NWUDPSession.status == ready for sending data via the session?

I would like to use NSURLSession to fetch a given URL (using HTTPS), but I would like to specify the IP address that should be used for that connection. Similarly to what this does: curl https://www.google.com --resolve 172.217.16.46 How can I do that?

Hi! what is the best way to send a HTTPS (REST API) call from the Network Extension process, that will go through the tunnel that this NE set up? By default all connection triggered from the tunnel process don't go through this tunnel. Should I be using createTCPConnectionThroughTunnel to send the HTTPS request? Any suggestions on how to implement this are most welcome :) Thank you!

Hi! we're working on an app that provides a custom VPN protocol implementation. The main app uses the Network Extension with a PacketTunnelProvider. In certain cases the tunnel process needs to connect to the local DNS server, which appears to trigger the Local Network Privacy warning in iOS 14. What we're observing is that even if the user declines the "App would like to connect to devices on your local network" prompt, the Network Extension can still reach and query the local DNS resolver. It seems that even if the user pick "Don't allow" in the OS prompt, all communication with the local network devices from the Network Extension is still possible. Is that an expected behaviour in iOS 14? Or is there a chance that this will change with on of the coming iOS 14 beta releases and we should account for that?