Is it possible to use AppProxy and DNSProxy together

So just to confirm with you: is it allowed to use these two at the same time?

I do not see why not. The most common cause of issues like this is both proxy's trying to handle the same flow and failing. For example, are you trying to handle UDP flows in both of your providers? I would try setting up your NEAppProxyProvider to only handle TCP flows and see if this makes a difference.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

I am working with @richard_wang on this.

@meaton

The most common cause of issues like this is both proxy's trying to handle the same flow and failing. For example, are you trying to handle UDP flows in both of your providers?

If I'm not mistaken an App Proxy can't handle DNS flows and only a DNS Proxy can, so I don't see how this could be the problem. We will confirm this.

I would try setting up your NEAppProxyProvider to only handle TCP flows and see if this makes a difference.

We have tried this and still no luck.

We will keep trying to solve this and if you have any clues please let us know. Thanks.

Hi there,

Following this topic, we managed to make both appproxy and dnsproxy work together at the same time, but have some constraints. Wonder if you can provide some help.

• Need uninstall extension each time before you run the application.

It is with below command to control the extension.
systemextensionsctl uninstall $DNSExtensionID $DNSExtensionName

If start dnsproxy first, then only one network service is prompted and added without the one for appproxy.
If start approxy first, both network service are added, but dnsproxy doesn’t work (as the extension access right problem).

Code Block 
AppDelegate.swift:applicationDidFinishLaunching() {
...
     // Start App Proxy
    ProxyManager.shared().loadProxyManager(connect: true) {
      ProxyManager.shared().addObserver {}
      ProxyManager.shared().start()
			// Start the DNS Proxy
			DNSManager.shared().start() {}
    }
...

Any suggestion on this?

• Stability thing, mainly from dns proxy.

 After running for a while with both proxies, name resolution failed.
We will go on checking this point as well.

It is with below command to control the extension.
systemextensionsctl uninstall $DNSExtensionID $DNSExtensionName

For testing purposes I would recommend deleting the container app by hand each time you test, i.e., right click, move to trash, and then enter your password. This should delete the Network System Extensions. If it does not then I would recommend running through the deactivation process of the system extension before your test.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt,

We still cannot make AppProxyProvider and DNSProxyProvider working together. Main problems still are:

• Stability thing

 After running for a while with both proxies, name resolution failed.

• Need uninstall extension each time before you run the application.

It is with below command to control the extension.
systemextensionsctl uninstall 5S77G864UH com.familyzone.macappproxy.dns

However, we made it work by using only AppProxyProvider to filter and handle dns traffics based on udp port 53.
The problem is that is this way illegal, as nowhere I can find in the document saying that is a valid way of handling dns traffic using only AppProxyProvider.

So, need your help in two respects:

1. Solve the issues having both AppProxyProvider and DNSProxyProvider working together.

2. Help confirm whether it is legal to handle dns traffic with AppProxyProvider only?

Thanks in advance.

Richard

Richard,

So, need your help in two respects:
Solve the issues having both AppProxyProvider and DNSProxyProvider working together.
Help confirm whether it is legal to handle dns traffic with AppProxyProvider only?

Using NEAppProxyProvider or even better yet, NETransparentProxyProvider is one known alternative to creating a NEDNSProxyProvider to handle your system level DNS flows.

As far as your name resolution issues, if you start your NEDNSProxyProvider to handle DNS flows and then you start a NEAppProxyProvider or NETransparentProxyProvider afterwards to only handle TCP flows, do you still run into a conflict here?


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Using NEAppProxyProvider or even better yet, NETransparentProxyProvider is one known alternative to creating a NEDNSProxyProvider to handle your system level DNS flows.

Good to see that confirmation.

As far as your name resolution issues, if you start your NEDNSProxyProvider to handle DNS flows and then you start a NEAppProxyProvider or NETransparentProxyProvider afterwards to only handle TCP flows, do you still run into a conflict here?

Tried before as remember with out udp filtering from appproxy with the same problem (network cannot pass through). Can double confirm anyway. Is there any concern who to start first, dnsproxy or appproxy?

Is there any concern who to start first, dnsproxy or appproxy?

Not that I am aware of, I just always start the NEDNSProxyProvider first if it is involved. You could try and run this the other way around to test it out though.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt,

• About bringing up both dns and transparent proxy network devices, can you share with me your code on how to start them only after the other?

I tried different combinations inside AppDelegate.swift, with below way, only sometimes I can get both network devices added, other times only appproxy device can be seen.

func applicationDidFinishLaunching(_ aNotification: Notification) {
    ProxyManager.shared().loadProxyManager(connect: true) {
      ProxyManager.shared().addObserver {}
      ProxyManager.shared().start()
      DNSManager.shared().start() {}
    }
  }

• About stability thing with both proxy running, have you observe its stability over time?

I tried with below script and found sometimes it just get stuck there for a while then resume going on.

#!/bin/bash

i=0
while true
do
  i=$((i+1))
  echo "loop $i"
  nslookup www.google.com
  sleep 1
done

I tried different combinations inside AppDelegate.swift, with below way, only sometimes I can get both network devices added, other times only appproxy device can be seen.

I was not aware you were trying to start both providers from the same container app. First, when I test these scanrios I always test them as isolated container apps and Network System Extensions. Next, there is nothing technically stopping you from building multiple Network System Extensions into one container app, but I would advise that you go about this differently. For example, I would AT LEAST, start with the following:

1. Build out two Network System Extensions in your project. One for your NEDNSProxyProvider and one for NETransparentProxyProvider / NEAppProxyProvider. Do not try to wedge the code for both providers into one provider.

2. I would recommend running through the startup process first for your NEDNSProxyProvider. Then, after that your DNS provider is up and running, run through the installation and startup of your NETransparentProxyProvider.

3. Isolate as much of the proxy logic as possible to avoid bugs and confusion. Of course, I am assuming that there are things like UDP flow copying that you will want to keep as a common library between both providers, but separate your provider specific logging and logic out as much as possible. This will make your life a lot easier.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com