getaddrinfo blocked in App Proxy provider

Hi,


I am building Transparent app proxy on 10.15.5. I setup DNS resolver in the app proxy.


NEDNSSettings *dnsSettings = [[NEDNSSettings alloc] initWithServers: dnsServerList];

NSString* TLD1 = @"com";

NSArray<NSString *> *dnsMatchDomainList = [NSArray arrayWithObjects: TLD1, nil];

dnsSettings.matchDomains = dnsMatchDomainList;

dnsSettings.domainName = @"gp.com";

settings.DNSSettings = dnsSettings;


getaddrinfo or DNSServiceGetAddrInfo is called later with any com domain(e.g. apple.com) from same system extension, getaddrinfo/DNSServiceGetAddrInfo gets blocked forever. The same result is with asynchrous DNSServiceGetAddrInfo calls.


Could you please help me guide to solve it?

Please note, if getaddrinfo is called from third party app, it works fine.

Up vote post of anandfrombangalore Down vote post of anandfrombangalore
1.5k views
Posted by
anandfrombangalore
Reply
Add a Comment

Replies

Are you seeing any resolution to your dnsServerList or do all attempts to the listed DNS server return with nothing? If they are not available this sounds like you have a DNS routing problem. If this is intermittent, check that you are filtering your match domains correctly for your DNS queries. For example, it looks like you want to match specific domains to send to your DNS server. If this is true then you will want to set the matchDomainsNoSearch to YES.



Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Thanks Matt!


It is not intemittent. dns resolution is never received.


If matchDomainsNoSearch is set to YES.


getaddrinfo throws error:

error in getaddrinfo: nodename nor servname provided, or not known

Any recommendation to solve this issue?


Regards,

Anand Choubey

Posted by
anandfrombangalore
Up vote reply of anandfrombangalore Down vote reply of anandfrombangalore
Add a Comment

Interesting. You may be experiencing access control for your DNS to prevent packet loops on the interface. This may be preventing you from using the DNS server you are looking to use. Try using a different DNS server and see if you start getting traffic there. If you do, then your DNS traffic could be suffering from access control on the previous server.



Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment

Thanks Matt!


Try using a different DNS server and see if you start getting traffic there...

Sorry, I did not get your suggestion. How to use different DNS server in getaddrinfo?


We do not have any access policy on machine. Or do I miss your point?


I missed one strange point before:

If Network extension is disconnected from Network Preferences, all the block calls returns with resolved IP address.


Regards,

Posted by
anandfrombangalore
Up vote reply of anandfrombangalore Down vote reply of anandfrombangalore
Add a Comment

For your DNS Server I meant using a different DNS Server in NEDNSSettings. Otherwise you may want to open a DTS Incident so I can take a closer look.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment