iOS 16 prefering to use DoH/DoT even if VPN has specified it does not support DoH/DoT in DNS Settings

Hi,

We have a VPN solution based on NEPacketTunnelProvider. Our requirement is to be able to get UDP based dns traffic and perform dns resolutions for all dns queries, while the VPN is in split tunnel mode.

Earlier, till iOS 15.x, we used to use the approach mentioned by @eskimo in this link https://developer.apple.com/forums/thread/35027?answerId=122209022#122209022, where our VPN was in split tunnel and we used to use the wildcard match domain option to get all the dns queries in the VPN. We used to use the public dns servers like google dns servers (8.8.8.8, 8.8.4.4) in our vpn. In our NEDNSSettings of the NEPacketTunnelNetworkSettings, we have dnsProtocol set to "clear text" and the servers set to the above public dns servers.

From iOS 16 onwards, we are observing that despite specifying the clearText dns protocol, we are receiving encrypted dns packets probably because of system automatically using DoT or DoH, as the public dns servers does support this.

This is breaking multiple flows in our app.

This seems to be a regression in iOS 16, because the DNSSettings of the VPN should be respected by the platform. Is this a known issue on apple side? If yes, are there any tentative dates for fixing this?

I tried it in full tunnel mode as well, where I claim the default Route in my network settings' include routes. here also i observe that even though the NEDNSSettings value specifies clear text, if i use the public dns servers, I am still getting encrypted dns traffic.

Surely looks like a bug, because in presence of a VPN, the VPN's network settings should be honoured and the platform should not select automatically.

Hi, did you ever manage to solve this issue? I am currently facing it too, but I can't seem to find any solution.

Same on my side , any solution ??

iOS 16 prefering to use DoH/DoT even if VPN has specified it does not support DoH/DoT in DNS Settings
 
 
Q