Split Tunnel + split DNS

Question

Created Jul ’22

Replies 3

Boosts 0

Views 2.1k

Participants 2

I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider). My question is related to the tunnel's DNS servers:

I would like that even when a split-tunnel is enabled, all DNS queries will reach the tunnel's DNS, but I'm aware that this case is not 'working well', and the Packet Tunnel Provider is not supposed to capture all DNS queries, see those threads:https://developer.apple.com/forums/thread/662443, https://developer.apple.com/forums/thread/661601
So as a workaround, on a split-tunnel I have a list of 'match domains', and 'search domains'. But now it seems that the default interface will answer those queries as well, and they still won't reach the tunnel's DNS. To verify this, I connected with the VPN, and when I checked 'scutil --dns', I got the list of resolvers, where resolver #1, wasn't the utun (it was en7), and it handled all the 'match domain'/'search domains'.

Any idea how to force some/add DNS queries to the tunnel's DNS even when for a split tunnel?

Boost

Answer 1

Systems Engineer OP

Apple

Jul ’22

Any idea how to force some/add DNS queries to the tunnel's DNS even when for a split tunnel? the Packet Tunnel Provider is not supposed to capture all DNS queries

Right, the NEPacketTunnelProvider should not be used to capture all DNS traffic. If you need to do this, then NEDNSProxyProvider and DNS Settings are the APIs you want, as mentioned here.

0

Answer 2

roee84 OP

Jul ’22

Thanks @meaton, but this is exactly what I've asked - I don't need to capture all DNS traffic, so I have a split tunnel for DNS, but it still not working well. I'm copying (and editing a bit) the relevant part from my original question:

So as a workaround, on a split-tunnel I have a list of 'match domains', and 'search domains'. But now it seems that the default interface will answer those queries as well, and they won't reach the tunnel's DNS. To verify this, I connected with the VPN, and when I checked 'scutil --dns', I got the list of resolvers, where resolver #1, wasn't the utun (it was en7), and it handled all the 'match domains'/'search domains'. All DNS queries with those domains were answered by the system's DNS server, and not by the VPN DNS server.

Any idea how to force those DNS queries to the tunnel's DNS for a split tunnel? It seems that the matchDomains is not working..

0

Answer 3

Systems Engineer OP

Apple

Jul ’22

Any idea how to force those DNS queries to the tunnel's DNS for a split tunnel? It seems that the matchDomains is not working..

It sounds like your routing table must be handling the DNS queries before your tunnel has a chance to claim them, or that the tunnel is not correctly picking them up and they are falling through for the system to handle them. To debug this further your could try:

Go full tunnel to make sure that you are able to grab the DNS queries that you need.
Set the default route on your tunnel. This will likely add a lot more traffic to your tunnel but may tell you if you have an error in how your tunnel is setup and if this DNS traffic is not being claimed properly by your dns settings.
Move to one of the proxy APIs I mentioned previously to handle DNS traffic outside of the destination address you are tunneling.

0