DNSProxy Network Extension on macOS Ventura Beta 9

Question

Created Sep ’22

Replies 3

Boosts 0

Views 1.6k

Participants 3

We have a product which uses the NEDNSProxyProvider to provide a custom DNS solution. We're checking for compatibility with macOS Ventura, running Ventura beta 9 in a VM on an 2020 M1 MBA (Monterey host).

We have discovered that system DNS behavior changed with macOS Ventura: If the DNS server specified in Network settings (where all you can set is an IP) supports DoH or DoT, mDNSResponder will automatically use those protocols in preference to traditional port 53 DNS.

We have also discovered that this traffic will completely bypass our active DNSProxyProvider. The Console logs show mDNSResponder communicating directly with the DNS server over a persistent connection. Traffic from programs that don't use mDNSResponder (e.g. dig) is still intercepted as on previous versions of macOS, but the majority of the DNS traffic will go through mDNSResponder.

This makes the DNSProxyProvider all but useless for our purpose. Is there a new way to configure the DNSProxyProvider? It feels like an oversight since the stated purpose of the DNSProxyProvider is to "intercept all DNS traffic generated on the device" (quoting the current documentation). Is there any new documentation on the topic of DNS behavior in Ventura? We did not find any in the release notes.

Thank you.

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’22

This makes the DNSProxyProvider all but useless for our purpose.

You should definitely file a bug about that. Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

Uoptaget OP

Oct ’22

Thank you, we have filed a report with more details under the id FB11683618.

0

Answer 3

lucaseverini OP

Feb ’23

Hi Quinn and Uoptaget

We have exactly the same issue and the official answer provider by Apple (Feedback ID FB11963304) is to prevent the use of DoH by replying to _dns.resolver.arpa queries with NXDOMAIN in the DNS proxy provider.

As Uoptaget said above this is clearly an overlook by Apple that makes the DNS Proxy Extension practically useless and the workaround actually disable an important security feature.

Where is that attention to security that Apple is so proud of? It seem it doesn't count every time... :-(

Also this is a not so new issue, still present in Ventura 13.2 after four months that have been reported, on a beta version...

Despite your very valuable help, to develop a DNS proxy network extension is being a nightmare...

Frankly I'm quite disappointed of the lack of complete documentation and the other issues that are present (even after years) in the NE framework, some really blocking but pretty easy to spot with real QA. Well it looks like the maxim "the customer is the QA" is valid also for Apple...

If it may help to have it fixed for good, should I file the same bug again or is there a wait to add +1 to it?

Best regards,

Luca Severini

0