Post

Replies

Boosts

Views

Activity

Reply to [macOS] Encountering DNS cache issues while using NETransparentProxyProvider.
Oh, my apologies for the confusion. I'm referring to setTunnelNetworkSettings (https://developer.apple.com/documentation/networkextension/netunnelprovider/1406539-settunnelnetworksettings?language=objc). I am utilizing NETransparentProxyProvider and configuring rules using NETransparentProxyNetworkSettings within setTunnelNetworkSettings and acquiring whole UDP traffic. when setting the setTunnelNetworkSettings, it always generates a DNS query for a domain that is already cached by OS or browser using TTL time, which is correct. My concern is that, when I stop the NETransparentProxyManager using stopVPNTunnel and set setTunnelNetworkSettings to nil, it refrains from re-issuing the DNS query until the DNS TTL time has passed. Ideally, it should not utilize the DNS cache once we stop the tunnel, similar to when we set setTunnelNetworkSettings and it does not use the DNS cache and re-issues the DNS query
Jan ’24
Reply to [macOS] need to support domain specific dns server (custom DNS)
Thank you for your response, I attempted to use NEDNSSettingsManager, which requires either NEDNSOverHTTPSSettings or NEDNSOverTLSSettings for DNS configuration. Presently, our system does not support encrypted DNS. When I utilized only NEDNSSettings as indicated below, it generated the DNS setting in the filter, but it appears to be disabled (see attached screenshot). NEDNSSettingsManager.shared().loadFromPreferences { error in let dotSettings = NEDNSSettings(servers: ["1.2.3.4"]) //dotSettings.serverName = "example.com" dotSettings.matchDomains = ["test.corp.com"] NEDNSSettingsManager.shared().dnsSettings = dotSettings NEDNSSettingsManager.shared().localizedDescription = "Test config" NEDNSSettingsManager.shared().saveToPreferences { error in NEDNSSettingsManager.shared().loadFromPreferences { error in } } } In my scenario, I need to support custom DNS configurations for specific domains, each requiring a distinct DNS server. However, using NEDNSSettingsManager, I can only assign a single DNS server for multiple matched domains The file /etc/resolver/corp.conso.com is now working for me. Previously, I had been configuring the resolver file before setTunnelNetworkSettings, but now I'm configuring it after the tunnel settings and it is woking as expected. Im able to set custom DNS for specific domain. looking at man 5 resolver it does not talk about deprecation of /etc/resolver/, but only for /etc/resolv.conf. It also update the scutil --dns after adding file to/etc/resolver/corp.conso.com resolver #8 domain : corp.conso.com nameserver[0] : 2.2.2.2 flags : Request A records, Request AAAA records reach : 0x00000002 (Reachable)
Dec ’23
Reply to [macOS] need to support domain specific dns server (custom DNS)
Thank you for your response. I attempted to use NEDNSSettings within NETransparentProxyProvider, but it appears to be ignored. This issue is also documented in the NETransparentProxyProvider.h class. NEDNSSettings and NEProxySettings specified within NETransparentProxyNetworkSettings are ignored. Flows that match the includedNetworkRules within NETransparentProxyNetworkSettings will use the same DNS and proxy settings that other flows on the system are currently using. Full detail in NETransparentProxyProvider.h /*! @interface NETransparentProxyProvider @discussion The NETransparentProxyProvider class declares the programmatic interface for an object that implements the client side of a custom transparent network proxy solution. The NETransparentProxyProvider class has the following behavior differences from its super class NEAppProxyProvider: - Returning NO from handleNewFlow: and handleNewUDPFlow:initialRemoteEndpoint: causes the flow to proceed to communicate directly with the flow's ultimate destination, instead of closing the flow with a "Connection Refused" error. - NEDNSSettings and NEProxySettings specified within NETransparentProxyNetworkSettings are ignored. Flows that match the includedNetworkRules within NETransparentProxyNetworkSettings will use the same DNS and proxy settings that other flows on the system are currently using. - Flows that are created using a "connect by name" API (such as Network.framework or NSURLSession) that match the includedNetworkRules will not bypass DNS resolution. NETransparentProxyProvider is part of NetworkExtension.framework */
Dec ’23