getaddrinfo blocked in App Proxy provider

Question

anandfrombangalore OP

Created Jun ’20

Replies 5

Boosts 0

Views 1.6k

Participants 2

Hi,

I am building Transparent app proxy on 10.15.5. I setup DNS resolver in the app proxy.

NEDNSSettings *dnsSettings = [[NEDNSSettings alloc] initWithServers: dnsServerList];

NSString* TLD1 = @"com";

NSArray<NSString *> *dnsMatchDomainList = [NSArray arrayWithObjects: TLD1, nil];

dnsSettings.matchDomains = dnsMatchDomainList;

dnsSettings.domainName = @"gp.com";

settings.DNSSettings = dnsSettings;

getaddrinfo or DNSServiceGetAddrInfo is called later with any com domain(e.g. apple.com) from same system extension, getaddrinfo/DNSServiceGetAddrInfo gets blocked forever. The same result is with asynchrous DNSServiceGetAddrInfo calls.

Could you please help me guide to solve it?

Please note, if getaddrinfo is called from third party app, it works fine.

Boost

Answer 1

Systems Engineer OP

Apple

Jun ’20

Are you seeing any resolution to your dnsServerList or do all attempts to the listed DNS server return with nothing? If they are not available this sounds like you have a DNS routing problem. If this is intermittent, check that you are filtering your match domains correctly for your DNS queries. For example, it looks like you want to match specific domains to send to your DNS server. If this is true then you will want to set the matchDomainsNoSearch to YES.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

0

Answer 2

anandfrombangalore OP

Jun ’20

Thanks Matt!

It is not intemittent. dns resolution is never received.

If matchDomainsNoSearch is set to YES.

getaddrinfo throws error:

error in getaddrinfo: nodename nor servname provided, or not known

Any recommendation to solve this issue?

Regards,

Anand Choubey

0

Answer 3

Systems Engineer OP

Apple

Jun ’20

Interesting. You may be experiencing access control for your DNS to prevent packet loops on the interface. This may be preventing you from using the DNS server you are looking to use. Try using a different DNS server and see if you start getting traffic there. If you do, then your DNS traffic could be suffering from access control on the previous server.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

0

Answer 4

anandfrombangalore OP

Jun ’20

Thanks Matt!

Try using a different DNS server and see if you start getting traffic there...

Sorry, I did not get your suggestion. How to use different DNS server in getaddrinfo?

We do not have any access policy on machine. Or do I miss your point?

I missed one strange point before:

If Network extension is disconnected from Network Preferences, all the block calls returns with resolved IP address.

Regards,

0

Answer 5

Systems Engineer OP

Apple

Jun ’20

For your DNS Server I meant using a different DNS Server in NEDNSSettings. Otherwise you may want to open a DTS Incident so I can take a closer look.

Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

0