Network Extension and Safari DNS

App & System Services Networking
EoinN OP
Created Sep ’21
Replies 2
Boosts 0
Views 1.1k
Participants 2

I have been working with a DNS proxy for a while now. It replaces for us the use of unbound as a DNS forwarding resolver. The application itself is a security app, something that logs. and potentially blocks, outgoing requests to websites or anywhere really, and shows a blocked page if the webpage violates a policy.

A policy can be set per user, or groups of users. If we block the News category for a user all categorised websites considered to be news are blocked. Uncategorised websites are flagged and categorised with a day or so. The policy can be changed per user, group, or everybody on a server and updates in a few minutes.

To this we re-reroute the DNS (along with some authentication and identifying EDNS data) to our own resolver and it will either return the block page or not. There are other issues with using the DNSProxy rather than Unbound that might make us abandon it anyway, at least until they are fixed*, but a big annoyance now is Safari's caching of DNS queries.

If there is a policy blocking news, and I load a news site on safari ( say sky news, and then start the proxy, the full site and links continues to work in Safari. Firefox and Chrome are blocked even if previously cached.

If I ping sky news I get the IP of our resolver. If I CURL the sky news page, and I see the block page html, and I can see that DNS proxy is working because I log the data for the outgoing datagram and it contains skynews.com. This is true of a ping or of a reload in safari. Except safari seems to ignore the ip that is returned in the DNS proxy.

I have tried a system wide cache removal i.e

. sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

but that also doesn't work.

Flushing the caches in safari doesn't work. (Develop -> Empty Caches). Erasing history doesn't work. A restart sometimes works but not always.

I know this isn't specifically about the DNS proxy but it seems to me that safari's over aggressive caching should be network extension aware. Is there any potential fix here?

  • we don't really want the user to be able to quit the proxy, or even have a choice of installing it. Of course people don't want to be tracked but our customers want to track them.
Replies  2
Boosts  0
Views  1.1k
Participants  2
Systems Engineer OP
Apple
Sep ’21

I am going to assume that you are using macOS here because you mentioned Terminal commands. The actions that you are describing here are the actions of a Content Filter and not really a NEDNSProxyProvider. Have you looked into use a Content Filter API here such as NEFilterDataProvider to get the first top level URL loaded block the load of that URL?

Regarding the DNS behavior, this may be the system default behavior or you may be seeing Optimistic DNS being used here and there is no change in server IP the connection needs to be aware of. In short, if this is causing your issues though, it is ground for a bug report, if nothing else to get this behavior documented.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
EoinN OP
Sep ’21

The extension can work on both but I see the safari issue on macOS.

I don't think that the NEDNSProxyProvider will work since the decision on what is blocked and what is not blocked is made by the server side and is often quite dynamic. Anyway not confident that there is a fix in doing that, as safari should really be showing our blocked site anyway.

If I do this

curl http://skynews.com > skynews.html; open skynews.html

I get the blocked page. Only safari, of the four browsers I test only safari shows the issue.

0
Network Extension and Safari DNS
First post date Last post date
 
 
Q