PacketTunnelProvider and Encrypted DNS behavior

App & System Services Networking
buman56 OP
Created Jun ’21
Replies 6
Boosts 0
Views 1.1k
Participants 2

Hi,

We are running a PacketTunnelProvider, and are testing the effects of Encrypted DNS (DoH or DoT).

According to WWDC20-10047, "resolution within the VPN tunnel will use the VPN's DNS settings and not your system-wide settings".

We've been testing by enabling encrypted DNS system-wide using a configuration profile. However, we can see that in System Preferences -> Network, both the VPN configuration, and the encrypted DNS configuration are active and running. And that DNS is encrypted, interfering with the proper function of our VPN application.

Is this expected behavior? How can the behavior of encrypted DNS in conjunction with a VPN be characterized?

Answered by Systems Engineer in 680787022

Thank you for opening the bug reports. I do see them internally. On your packet tunnel, if you set your matchDomains to a nil value, does this change things at all?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Replies  6
Boosts  0
Views  1.1k
Participants  2
Systems Engineer OP
Apple
Jun ’21

Is this expected behavior?

No. This could be a situation where your tunnel is not correctly claiming the DNS traffic for your packet tunnel's NEDNSSettings, and so your system wide NEDNSOverHTTPSSettings is picking it up instead. This may also be the case that this traffic is just plain missing your tunnel for some reason.

A few follow up questions; if my theory above is true then if you turn off your DoH / DoT configuration(s), I would expect for your packet tunnel to still not be receiving this DNS traffic. If you turn off your DoH / DoT configuration(s) and then all of a sudden your packet tunnel starts getting this DNS traffic again, please let me know as this sounds like a bug.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
buman56 OP
Jun ’21

Hi Matt,

When we disable DoH/DoT configurations, our Packet Tunnel gets DNS traffic, so we believe this to be a bug. I can file it as such, let me know if you need anything else. Thanks

0
Systems Engineer OP
Apple
Jun ’21

When we disable DoH/DoT configurations, our Packet Tunnel gets DNS traffic, so we believe this to be a bug. I can file it as such, let me know if you need anything else

Thank you for confirming. While I do believe you should open a bug here, it would be good to get one more piece of information; for example, you may have already done this, but what happens if your NEPacketTunnelProvider is started before your DoH / DoT configurations? Does your packet tunnel always pickup your NEDNSSettings traffic then, no matter what other Network Extension configurations are enabled on the system?

If the above suggestion works I would recommend that you open a bug for documentation on this matter. If the above suggestion does not work then I would open a bug for NEPacketTunnelProvider not receiving the DNS traffic in this API. If you open a bug for NEPacketTunnelProvider, please include a sysdiagnose with the exact time and date the issue took place.

Please respond back with the Feedback ID.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
buman56 OP
Jun ’21

I have filed FB9224983 for iOS, and FB9224605 for macOS.

Thank you.

0
Systems Engineer OP
Apple
Jul ’21
Accepted Answer

Thank you for opening the bug reports. I do see them internally. On your packet tunnel, if you set your matchDomains to a nil value, does this change things at all?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
buman56 OP
Jul ’21

Hi Matt making matchDomains = nil fixes the issue.

0
PacketTunnelProvider and Encrypted DNS behavior
First post date Last post date
 
 
Q