Split tunnel + Include routes + search domains

App & System Services Networking
roee84 OP
Created Sep ’20
Replies 7
Boosts 0
Views 1.6k
Participants 2
(This is related to a thread from a year ago - https://developer.apple.com/forums/thread/113252?page=1#637604022)

I've implemented a custom VPN app for macOS (Packet Tunnel Provider).
If the user configured DNS servers for the tunnel, they should answer all DNS queries.
This is done with 
Code Block 
dnsSettings.matchDomains = [""]

This works good except for one combination - if the user enabled split tunnel with include routes + searchDomains, the DNS queries goes to the system DNS server, and not to the tunnel DNS.

I found a partial solution - for the above case, if I'm setting dnsSettings.matchDomains with the searchDomains, the tunnel's DNS server will answer queries, but only those which related to a domain on that list.
I want the tunnel's DNS servers to answer all queries, so this solution isn't good.

Is it a bug or an intentional behaviour?



Replies  7
Boosts  0
Views  1.6k
Participants  2
Systems Engineer OP
Apple
Sep ’20

Is it a bug or an intentional behaviour?

Answering queries for the the domains listed in the matchDomains list does sound like correct behavior.

I want the tunnel's DNS servers to answer all queries, so this solution isn't good.

See my response on this thread.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
roee84 OP
Oct ’20
Thanks for your answer, but I have 2 small questions:

  1. Just to be sure - even if the tunnel is for the default route (capture all traffic), the tunnel's DNS servers are not suppose to answer all queries?


2. Even with what you said, I'm pretty sure there's a bug on your side here (and not an edge case). Please see those 2 lines of code:

Code Block 
let searchDomains = ["myComp.net", "myComp.com", "com", "atlassian.net", "Kings.dev", "Kings", "MyABC.com", "ABC.com", "Kings.com", "myComp"]
newSettings.dnsSettings?.searchDomains = searchDomains


Now run 'ping google' at the terminal and it would work great ('google' will get the 'com' from the searchDomains).

However, moving "com" to the fourth location at the array (instead of at the first three):
Code Block 
let searchDomains = ["myComp.net", "myComp.com", "atlassian.net", "com", "Kings.dev", "Kings", "MyABC.com", "ABC.com", "Kings.com", "myComp"]

And 'ping google' doesn't work anymore. It seems that searchDomains has only "room" for 3 domains. Isn't it a bug (and not an edge case)?
0
roee84 OP
Oct ’20
And just to clarify - the settings for my VPN is to use the default route (all traffic should go via my VPN, and the VPN tunnels should answer all queries). If this is not possible I'll look at the DNS provider extension.
0
roee84 OP
Oct ’20
I also want to point out Eskimo's answer from 4 years ago - https://developer.apple.com/forums/thread/35027?answerId=122209022#122209022


So, you normally set up a VPN in one of three ways:
full tunnel — The VPN is the primary interface and its DNS server is used by default.
split tunnel, match domains — The VPN is not the primary interface and the system consults its VPN server for just the specified match domains.
split tunnel, wildcard match domains — The VPN is not the primary interface and the system consults its DNS server for all domains first.

The third option is what I want, but it seems very buggy. I'm not sure that NEDNSProxyProvider is the answer, because of several reasons:

  • It's another extension that the customers would have to approve

  • "do this in the context of managed devices" - I want the tunnel's DNS server for all devices, not only for managed devices


0
roee84 OP
Oct ’20
I submitted feedback - FB8774831
0
Systems Engineer OP
Apple
Oct ’20

The third option is what I want, but it seems very buggy.

This does go back to my point about edge cases you run into here.


I'm not sure that NEDNSProxyProvider is the answer

If you are not working in a managed environment what about NEDNSSettingsManager?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
roee84 OP
Oct ’20
If you are not working in a managed environment what about NEDNSSettingsManager?
I wasn't familiar with that one! It sounds great, but sadly it's only from the recent OS versions, so I'll check if this can help us here.
Thanks for the suggestion!
0
Split tunnel + Include routes + search domains
First post date Last post date
 
 
Q