Post

Replies

Boosts

Views

Activity

Reply to [macOS] need to support domain specific dns server (custom DNS)
Thank you for your response. I attempted to use NEDNSSettings within NETransparentProxyProvider, but it appears to be ignored. This issue is also documented in the NETransparentProxyProvider.h class. NEDNSSettings and NEProxySettings specified within NETransparentProxyNetworkSettings are ignored. Flows that match the includedNetworkRules within NETransparentProxyNetworkSettings will use the same DNS and proxy settings that other flows on the system are currently using. Full detail in NETransparentProxyProvider.h /*! @interface NETransparentProxyProvider @discussion The NETransparentProxyProvider class declares the programmatic interface for an object that implements the client side of a custom transparent network proxy solution. The NETransparentProxyProvider class has the following behavior differences from its super class NEAppProxyProvider: - Returning NO from handleNewFlow: and handleNewUDPFlow:initialRemoteEndpoint: causes the flow to proceed to communicate directly with the flow's ultimate destination, instead of closing the flow with a "Connection Refused" error. - NEDNSSettings and NEProxySettings specified within NETransparentProxyNetworkSettings are ignored. Flows that match the includedNetworkRules within NETransparentProxyNetworkSettings will use the same DNS and proxy settings that other flows on the system are currently using. - Flows that are created using a "connect by name" API (such as Network.framework or NSURLSession) that match the includedNetworkRules will not bypass DNS resolution. NETransparentProxyProvider is part of NetworkExtension.framework */
Dec ’23
Reply to [macOS] need to support domain specific dns server (custom DNS)
Thank you for your response, I attempted to use NEDNSSettingsManager, which requires either NEDNSOverHTTPSSettings or NEDNSOverTLSSettings for DNS configuration. Presently, our system does not support encrypted DNS. When I utilized only NEDNSSettings as indicated below, it generated the DNS setting in the filter, but it appears to be disabled (see attached screenshot). NEDNSSettingsManager.shared().loadFromPreferences { error in let dotSettings = NEDNSSettings(servers: ["1.2.3.4"]) //dotSettings.serverName = "example.com" dotSettings.matchDomains = ["test.corp.com"] NEDNSSettingsManager.shared().dnsSettings = dotSettings NEDNSSettingsManager.shared().localizedDescription = "Test config" NEDNSSettingsManager.shared().saveToPreferences { error in NEDNSSettingsManager.shared().loadFromPreferences { error in } } } In my scenario, I need to support custom DNS configurations for specific domains, each requiring a distinct DNS server. However, using NEDNSSettingsManager, I can only assign a single DNS server for multiple matched domains The file /etc/resolver/corp.conso.com is now working for me. Previously, I had been configuring the resolver file before setTunnelNetworkSettings, but now I'm configuring it after the tunnel settings and it is woking as expected. Im able to set custom DNS for specific domain. looking at man 5 resolver it does not talk about deprecation of /etc/resolver/, but only for /etc/resolv.conf. It also update the scutil --dns after adding file to/etc/resolver/corp.conso.com resolver #8 domain : corp.conso.com nameserver[0] : 2.2.2.2 flags : Request A records, Request AAAA records reach : 0x00000002 (Reachable)
Dec ’23
Reply to [macOS] Encountering DNS cache issues while using NETransparentProxyProvider.
Oh, my apologies for the confusion. I'm referring to setTunnelNetworkSettings (https://developer.apple.com/documentation/networkextension/netunnelprovider/1406539-settunnelnetworksettings?language=objc). I am utilizing NETransparentProxyProvider and configuring rules using NETransparentProxyNetworkSettings within setTunnelNetworkSettings and acquiring whole UDP traffic. when setting the setTunnelNetworkSettings, it always generates a DNS query for a domain that is already cached by OS or browser using TTL time, which is correct. My concern is that, when I stop the NETransparentProxyManager using stopVPNTunnel and set setTunnelNetworkSettings to nil, it refrains from re-issuing the DNS query until the DNS TTL time has passed. Ideally, it should not utilize the DNS cache once we stop the tunnel, similar to when we set setTunnelNetworkSettings and it does not use the DNS cache and re-issues the DNS query
Jan ’24
Reply to [macOS] Encountering DNS cache issues while using NETransparentProxyProvider.
@meaton, thanks for the reply, Is there a way to remove DNS cache? I tried sudo killall -HUP mDNSResponder, but it only removed the system DNS cache. There is also the browser cache (Chrome) that remains unaffected, and it will persist until its TTL expires. When we switch off the WIFI and then enable it again, all DNS caches, including the browser cache (Chrome), are cleared. Is there anything else we can try to remove the DNS cache?
Feb ’24
Reply to [macOS] Wanted to capture inbound DNS traffic using NETransparentProxyProvider
Hi @eskimo, We have tried the code provided above and we have observed outgoing packets on port 12345, but there are no incoming packets. NSArray<NENetworkRule *> *includedNetworks = @[ @[@"0.0.0.0", @0], @[@"::", @0] ]; NSMutableArray<NENetworkRule *> *networkRules = [NSMutableArray array]; for (NSArray *network in includedNetworks) { NSString *addr = network[0]; NSNumber *prefix = network[1]; NWHostEndpoint *endpoint = [NWHostEndpoint endpointWithHostname:addr port:@"12345"]; NENetworkRule *networkRule = [[NENetworkRule alloc] initWithDestinationNetwork:endpoint prefix:prefix.intValue protocol:NENetworkRuleProtocolTCP]; [networkRules addObject:networkRule]; } settings.includedNetworkRules = networkRules;
Feb ’24
Reply to [macOS] Wanted to capture inbound DNS traffic using NETransparentProxyProvider
Hi @eskimo, Sorry for the confusion; I was referring specifically to the flow. I attempted the settings below in order to receive incoming flow. NENetworkRule *dnsInboundTraffic = [[NENetworkRule alloc] initWithRemoteNetwork:nil remotePrefix:0 localNetwork:[NWHostEndpoint endpointWithHostname:@"0.0.0.0" port:@"12345"] localPrefix:0 protocol:NENetworkRuleProtocolTCP direction:NETrafficDirectionInbound]; settings.includedNetworkRules = @[dnsInboundTraffic]; But I'm not receiving incoming flow; it is functioning correctly for outgoing flow. Please correct me if I'm doing anything wrong while creating the NENetworkRule.
Feb ’24