NEProvider creation failed

Programming Languages Swift
iandreyeu OP
Created Jan ’23
Replies 5
Boosts 0
Views 1.2k
Participants 3

I am trying to get DNS Proxy app extension up and running. So first off, I've crated a sample project to play around with the API.

I've crated an iOS project, put some base code, but when I launch the app, I get NEProvider creation failed, caller does not have the com.apple.developer.networking.networkextension entitlement error. Breakpoints in the extension target don't work, managed to get the info using Console.

I have no idea where to put the required entitlement. Please help

Here are the

logs
and the sample project
Replies  5
Boosts  0
Views  1.2k
Participants  3
Systems Engineer OP
Apple
Jan ’23

A few things to note here about project:

  1. I am going to first point you towards Quinn's Technote: TN3134 Network Extension provider deployment. The reason this is important is that because you can only deploy a NEDNSProxyProvider on a supervised device.

  2. The second is that you have the dns-proxy entitlement key setup on the container app but you'll also need it on the Network App Extension too.

  3. You will not be able to run this provider locally for development without the entitlement for com.apple.security.get-task-allow set to true. Note that this is for Development only for you to test your code. Remember that these providers cannot be deployed outside supervised devices on iOS.

  4. You'll want to provide some sort of serverAddress for NEDNSProxyProviderProtocol.

0
iandreyeu OP
Jan ’23

@meaton

You'll want to provide some sort of serverAddress for NEDNSProxyProviderProtocol.

Is this the same "https://my.dns.server/dns-query" one would use with NEDNSOverHTTPSSettings?

0
Systems Engineer OP
Apple
Jan ’23

Is this the same "https://my.dns.server/dns-query" one would use with NEDNSOverHTTPSSettings?

This is essentially the serverAddress you plan to point your proxy traffic towards.

0
iandreyeu OP
Jan ’23

@meaton, the steps you have provided did get the expension up and running. Thanks But can you please explain a bit more about serverAddress. I don't understand fully how DNS works it seems. My idea was that with DNS Proxy one can intercept DNS requests and modify them (for example, route dns resolution requests to different dns servers based on some set of rules). So why does one need to point the proxy traffic towards some specific server? And what kind of server should that be?

0
DTS Engineer OP
Apple
Jan ’23

First up, I’m going to include a link to your other thread here, because I think that’s an important bit of context.

With regards the server address, keep in mind that our DNS proxy technology [1] is a ‘child’ of our app proxy technology, and app proxies are a form of per-app VPN. From that perspective, it makes sense to require a server address [2]. A DNS proxy may or may not have a sensible value to put here, depending on how the proxy works. If it doesn’t, standard convention is to use localhost.

Regardless, there’s no strict requirement that your proxy pay any attention to the server address it’s given. You just have to supply some value so that you can successfully save your configuration.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Likewise for transparent proxies, and my comments above apply there as well.

[2] The server address was also originally involved in VPN loopback prevention, but that’s a more complex topic.

1
NEProvider creation failed
First post date Last post date
 
 
Q