Hi! I'm developing a transparent proxy network extension using NETransparentProxyProvider.
It looks like connections from mDNSResponder are not bypassed when returning NO from handleNewFlow: of NETransparentProxyProvider, and are terminated instead.
Symptoms are non-functional DNS-over-HTTPS (installed through a .mobileconfig) when there's an active network extension which bypasses all traffic (always returns NO from handleNewFlow:). Solved by actually filtering flows from com.apple.mDNSResponder instead of bypassing them.
I've filed FB8895063 with details and a sample app, but haven't gotten any answer yet; duplicating here for visibility.
I've also got a suspicion that bypassing flows by returning NO from handleNewFlow: also leads to problems with other apps besided the mDNSResponder, since I've seen intermittent failures in apps that are not filtered by my network extension when it is active.
It looks like connections from mDNSResponder are not bypassed when returning NO from handleNewFlow: of NETransparentProxyProvider, and are terminated instead.
Symptoms are non-functional DNS-over-HTTPS (installed through a .mobileconfig) when there's an active network extension which bypasses all traffic (always returns NO from handleNewFlow:). Solved by actually filtering flows from com.apple.mDNSResponder instead of bypassing them.
I've filed FB8895063 with details and a sample app, but haven't gotten any answer yet; duplicating here for visibility.
I've also got a suspicion that bypassing flows by returning NO from handleNewFlow: also leads to problems with other apps besided the mDNSResponder, since I've seen intermittent failures in apps that are not filtered by my network extension when it is active.