How to get default dns server when VPN is on?

I am using NEPacketTunnelProvider to write a VPN app. When the vpn is off, I could use res_9_getservers to get the current network DNS server, so that when the vpn is on, I could choose whether I reply the dns query or drop the query to the default dns server.

My question is when the vpn is on and the network changes, I did not found a way to get the new network's default DNS server, res_9_getservers returns the dns server which I was setting up.

So how can I get the new DNS when network changes?

Thank you!
Answered by Systems Engineer in 637403022
@roee84

Why?

Because trying to get all of the DNS traffic to route through your tunnel is an endless scenario of edge cases and gotchas. We have specific APIs to handle capturing all DNS traffic in the way that you see fit. Trying to account for scenario's where NEDNSSettings is setup to capture ALL DNS traffic usually ends up in a breakdown of some sort because certain browser based queries ultimately slip outside your match domain settings.

What about this description "If the VPN tunnel becomes the network’s default route,
the servers listed earlier by NEDNSSettings become the default resolver and the
matchDomains list is ignored."

Right. So if you do not have any other routes on the system to handle DNS, then the VPN's route will act as a backstop to handle the DNS traffic and the servers used in NEDNSSettings will be used to do so. This does not mean that this is a recommended course of action and it will not always be the case on every device or machine. You will need to look at the routing table to know for sure, but it could be the case where mDNSResponder is using a different route to handle your DNS traffic.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

My question is when the vpn is on and the network changes, I did not found a way to get
the new network's default DNS server, res9getservers returns the dns server which I
was setting up.

Okay, why are you needing to find the new DNS server when the network changes? If you are wanting to redirect DNS traffic, try setting NEDNSSettings on your NEPacketTunnelProvider to serve specific domains. If you need a device specific DNS handling, take a look at NEDNSSettingsManager


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Okay, why are you needing to find the new DNS server when the network changes? If you are wanting to redirect DNS traffic, try setting NEDNSSettings on your NEPacketTunnelProvider to serve specific domains. If you need a device specific DNS handling, take a look at NEDNSSettingsManager

Thank you matt.

Yes, I wanna redirect dns traffic by complex rules, for example some queries I resolve myself, others pass to the default DNS server. The rules are too complex to just describe in NEDNSSettings, like Regexp domain names, some TXT queries and so on.


I would recommend not trying to capture large volumes of System DNS queries through a VPN. That is what NEDNSSettingsManager or a NEDNSProxyProvider. Instead with a VPN use NEDNSSettings to capture only specific domains that your VPN is interested in and point them at a specific DNS server of your choice. Do not try and capture everyone else DNS traffic as well.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
A question regarding "use NEDNSSettings to capture only specific domains that your VPN is interested in and point them at a specific DNS server of your choice. Do not try and capture everyone else DNS traffic as well."
Why? What about this description "If the VPN tunnel becomes the network’s default route, the servers listed earlier by NEDNSSettings become the default resolver and the matchDomains list is ignored." from https://developer.apple.com/documentation/networkextension/nednssettings/1406537-matchdomains? On full tunnel I want that all the queries will reach to the DNS servers I configured, is that a problem?
Accepted Answer
@roee84

Why?

Because trying to get all of the DNS traffic to route through your tunnel is an endless scenario of edge cases and gotchas. We have specific APIs to handle capturing all DNS traffic in the way that you see fit. Trying to account for scenario's where NEDNSSettings is setup to capture ALL DNS traffic usually ends up in a breakdown of some sort because certain browser based queries ultimately slip outside your match domain settings.

What about this description "If the VPN tunnel becomes the network’s default route,
the servers listed earlier by NEDNSSettings become the default resolver and the
matchDomains list is ignored."

Right. So if you do not have any other routes on the system to handle DNS, then the VPN's route will act as a backstop to handle the DNS traffic and the servers used in NEDNSSettings will be used to do so. This does not mean that this is a recommended course of action and it will not always be the case on every device or machine. You will need to look at the routing table to know for sure, but it could be the case where mDNSResponder is using a different route to handle your DNS traffic.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

You will need to look at the routing table to know for sure, but it could be the case where mDNSResponder is using a different route to handle your DNS traffic.

@meaton - would you be able to explain in which scenarios this happens? I am currently experiencing in MacOS Catalina that mDNSResponder occasionally starts to send DNS requests via the wrong network interface and don't have any clue why this is happening...

Thx -XoF-

@-XoF-

I am currently experiencing in MacOS Catalina that mDNSResponder occasionally starts to send DNS requests via the wrong network interface and don't have any clue why this is happening...

This could be the case when your DNS queries are not claimed or handled by the virtual interface and thus would go to another interface to be performed.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com 
How to get default dns server when VPN is on?
 
 
Q