Difference between matchDomains and searchDomains in NEDNSSettings

Question

Created Sep ’21

Replies 6

Boosts 0

Views 1.3k

Participants 2

I am a bit confused about usage of searchDomains of NEDNSSettings and how different is it from matchDomains. I understand that I can add few domains in matchDomains which will be used to redirect DNS requests for provided domains and their subdomains to my NetworkExtension. So, what is use of searchDomains?

From docs it appears that it will work same as matchDomains but only for exact FQDNs. And DNS requests for any subdomains would not redirected to NE but rather to system DNS resolver. Is that understanding correct?

If that understanding is correct, then what's the use of matchDomainsNoSearch? Any domain in match domain would be a superset of same domain appended in searchDomains? So why even append it?

If my understanding is not correct, then what's the use of searchDomains?

Answered by Systems Engineer in 687463022

So, what is use of searchDomains? From docs it appears that it will work same as matchDomains but only for exact FQDNs.

Right, so searchDomains will be used as-is, for example, test.example.com, whereas matchDomains can be used for any subdomain of example.com.

Regarding:

If that understanding is correct, then what's the use of matchDomainsNoSearch?

matchDomainsNoSearch is a flag to determine if the matchDomains should be appended to the searchDomains. For example:

NEDNSSettings *dnsSettings = [[NEDNSSettings alloc] initWithServers:@[kLocalIP]];
dnsSettings.matchDomains = @[@“example.com”];
dnsSettings.matchDomainsNoSearch = YES;

This will NOT append example.com to the end of domains being resolved.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Boost

Answer 1

Systems Engineer OP

Apple

Sep ’21

Accepted Answer

So, what is use of searchDomains? From docs it appears that it will work same as matchDomains but only for exact FQDNs.

Right, so searchDomains will be used as-is, for example, test.example.com, whereas matchDomains can be used for any subdomain of example.com.

Regarding:

If that understanding is correct, then what's the use of matchDomainsNoSearch?

matchDomainsNoSearch is a flag to determine if the matchDomains should be appended to the searchDomains. For example:

NEDNSSettings *dnsSettings = [[NEDNSSettings alloc] initWithServers:@[kLocalIP]];
dnsSettings.matchDomains = @[@“example.com”];
dnsSettings.matchDomainsNoSearch = YES;

This will NOT append example.com to the end of domains being resolved.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

dispatchMain OP

Sep ’21

Hi Matt, since I had never used searchDomains, I just did some testing and results are not what I expected.

I added few domains like google.com, amazon.com, www-google.com and www-amazon.com (- are dots here since www URLs are not allowed) into search domains, added nothing in matchDomains and matchDomainsNoSearch is set to true . So, I expected to get DNS queries for all the above exact domains in my NE. But that is not the case. I get no DNS queries at all.

If I add the same domains in matchDomains and nothing in searchDomains, I get all the exact as well as subdomain queries. Which is working as expected but is not something I need. I only need queries for exact domain names. So, how can that be achieved? I thought adding only to searchDomains would do that. But that is not the case.

0

Answer 3

Systems Engineer OP

Apple

Sep ’21

I only need queries for exact domain names. So, how can that be achieved? I thought adding only to searchDomains would do that.

If you add the exact hostnames to the searchDomains and do not include anything for matchDomains or matchDomainsNoSearch do you pickup the exact values in searchDomains?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 4

dispatchMain OP

Sep ’21

do you pickup the exact values in searchDomains?

I am not sure I completely understood what do you mean but let me try to answer that: I add an FQDN in searchDomains and then I try to access the same exact FQDN in browser. But the DNS queries for that FQDN are sent to my PacketTunnel.

Is this what you are asking?

0

Answer 5

dispatchMain OP

Sep ’21

Sorry, I mistyped my previous post and did not notice it till now. Here is the right version:

I am not sure I completely understood what do you mean but let me try to answer that: I add an FQDN in searchDomains and then I try to access the same exact FQDN in browser. But the DNS queries for that FQDN are not sent to my PacketTunnel.

Is this what you are asking?

0

Answer 6

Systems Engineer OP

Apple

Sep ’21

Is this what you are asking?

Yes, that is what I am asking. I would have expected a FQDN to be sent to your packet tunnel. If you are still running into issues here, open a TSI and I can take a deeper look at your NEDNSSettings in the context of your Network System Extension.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0