I noticed that when I create a file without the search field from the extension, it works properly. /n
File: /private/etc/resolver/corp.conso.com
domain corp.conso.com nameserver 2.2.2.2
/n
We only encounter the issue when we add the search field to the file and create it from the system extension process.
Post
Replies
Boosts
Views
Activity
Thank you for your response. I attempted to use NEDNSSettings within NETransparentProxyProvider, but it appears to be ignored.
This issue is also documented in the NETransparentProxyProvider.h class.
NEDNSSettings and NEProxySettings specified within NETransparentProxyNetworkSettings are ignored. Flows that match the includedNetworkRules within NETransparentProxyNetworkSettings will use the same DNS and proxy settings that other flows on the system are currently using.
Full detail in NETransparentProxyProvider.h
/*!
@interface NETransparentProxyProvider
@discussion The NETransparentProxyProvider class declares the programmatic interface for an object that implements the client side of a custom transparent network proxy solution.
The NETransparentProxyProvider class has the following behavior differences from its super class NEAppProxyProvider:
- Returning NO from handleNewFlow: and handleNewUDPFlow:initialRemoteEndpoint: causes the flow to proceed to communicate directly with the flow's ultimate destination, instead of closing the flow with a "Connection Refused" error.
- NEDNSSettings and NEProxySettings specified within NETransparentProxyNetworkSettings are ignored. Flows that match the includedNetworkRules within NETransparentProxyNetworkSettings will use the same DNS and proxy settings that other flows on the system are currently using.
- Flows that are created using a "connect by name" API (such as Network.framework or NSURLSession) that match the includedNetworkRules will not bypass DNS resolution.
NETransparentProxyProvider is part of NetworkExtension.framework
*/
Thank you for your response,
I attempted to use NEDNSSettingsManager, which requires either NEDNSOverHTTPSSettings or NEDNSOverTLSSettings for DNS configuration. Presently, our system does not support encrypted DNS. When I utilized only NEDNSSettings as indicated below, it generated the DNS setting in the filter, but it appears to be disabled (see attached screenshot).
NEDNSSettingsManager.shared().loadFromPreferences { error in
let dotSettings = NEDNSSettings(servers: ["1.2.3.4"])
//dotSettings.serverName = "example.com"
dotSettings.matchDomains = ["test.corp.com"]
NEDNSSettingsManager.shared().dnsSettings = dotSettings
NEDNSSettingsManager.shared().localizedDescription = "Test config"
NEDNSSettingsManager.shared().saveToPreferences { error in
NEDNSSettingsManager.shared().loadFromPreferences { error in
}
}
}
In my scenario, I need to support custom DNS configurations for specific domains, each requiring a distinct DNS server. However, using NEDNSSettingsManager, I can only assign a single DNS server for multiple matched domains
The file /etc/resolver/corp.conso.com is now working for me. Previously, I had been configuring the resolver file before setTunnelNetworkSettings, but now I'm configuring it after the tunnel settings and it is woking as expected. Im able to set custom DNS for specific domain.
looking at man 5 resolver
it does not talk about deprecation of /etc/resolver/, but only for /etc/resolv.conf.
It also update the scutil --dns after adding file to/etc/resolver/corp.conso.com
resolver #8
domain : corp.conso.com
nameserver[0] : 2.2.2.2
flags : Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
For now, this is for managed devices.
We have tested with com.apple.dnsSettings.managed, and it takes precedence over /etc/resolver.
We will make a note that managed DNS settings take precedence over /etc/resolver
In com.apple.dnsSettings.managed, we are only able to setup encrypted dns (TLS or HTTPS), Is there a way we can setup unencrypted DNS?
Sure, I will open a ticket and proceed with the '/etc/resolver' approach. I'll also make a note if someone has configured managed DNS
Thanks,
Yes, this is my NE product, which crashed the system.
Filed a bug: FB13465634
Oh, my apologies for the confusion.
I'm referring to setTunnelNetworkSettings (https://developer.apple.com/documentation/networkextension/netunnelprovider/1406539-settunnelnetworksettings?language=objc).
I am utilizing NETransparentProxyProvider and configuring rules using NETransparentProxyNetworkSettings within setTunnelNetworkSettings and acquiring whole UDP traffic.
when setting the setTunnelNetworkSettings, it always generates a DNS query for a domain that is already cached by OS or browser using TTL time, which is correct.
My concern is that, when I stop the NETransparentProxyManager using stopVPNTunnel and set setTunnelNetworkSettings to nil, it refrains from re-issuing the DNS query until the DNS TTL time has passed.
Ideally, it should not utilize the DNS cache once we stop the tunnel, similar to when we set setTunnelNetworkSettings and it does not use the DNS cache and re-issues the DNS query
@eskimo, We have tried saying "No" to everything, and still, Airdrop is not working. I will raise a ticket with Apple.
@meaton: Could u pls suggest here?
@meaton, thanks for the reply,
Is there a way to remove DNS cache?
I tried sudo killall -HUP mDNSResponder, but it only removed the system DNS cache.
There is also the browser cache (Chrome) that remains unaffected, and it will persist until its TTL expires.
When we switch off the WIFI and then enable it again, all DNS caches, including the browser cache (Chrome), are cleared. Is there anything else we can try to remove the DNS cache?
Hi @eskimo,
We tried acquiring whole UDP/TCP traffic with NETrafficDirectionInbound but we are not getting anything in handleNewUDPFlow or handleNewFlow
Also, we have tried to set NETrafficDirectionAny but nothing is coming in handleNewUDPFlow or handleNewFlow
Could u pls suggest?
Hi @eskimo,
We attempted to capture all TCP/UDP traffic using NETrafficDirectionInbound or NETrafficDirectionAny,
but we did not receive any data in handleNewUDPFlow(...) or handleNewFlow(...)
Hi @eskimo,
We have tried the code provided above and we have observed outgoing packets on port 12345, but there are no incoming packets.
NSArray<NENetworkRule *> *includedNetworks = @[
@[@"0.0.0.0", @0],
@[@"::", @0]
];
NSMutableArray<NENetworkRule *> *networkRules = [NSMutableArray array];
for (NSArray *network in includedNetworks) {
NSString *addr = network[0];
NSNumber *prefix = network[1];
NWHostEndpoint *endpoint = [NWHostEndpoint endpointWithHostname:addr port:@"12345"];
NENetworkRule *networkRule = [[NENetworkRule alloc] initWithDestinationNetwork:endpoint prefix:prefix.intValue protocol:NENetworkRuleProtocolTCP];
[networkRules addObject:networkRule];
}
settings.includedNetworkRules = networkRules;
Hi @eskimo,
Sorry for the confusion; I was referring specifically to the flow.
I attempted the settings below in order to receive incoming flow.
NENetworkRule *dnsInboundTraffic = [[NENetworkRule alloc] initWithRemoteNetwork:nil remotePrefix:0 localNetwork:[NWHostEndpoint endpointWithHostname:@"0.0.0.0" port:@"12345"] localPrefix:0 protocol:NENetworkRuleProtocolTCP direction:NETrafficDirectionInbound];
settings.includedNetworkRules = @[dnsInboundTraffic];
But I'm not receiving incoming flow; it is functioning correctly for outgoing flow.
Please correct me if I'm doing anything wrong while creating the NENetworkRule.