DNS Proxy Provider vs DNS Proxy Provider vs DNS Settings

Question

this_username_did_not_exist OP

Created Feb ’23

Replies 6

Boosts 0

Views 1.2k

Participants 3

2 questions regarding conflict between DNS Proxy Providers and between DNS Proxy Provider and DNS Settings:

[Q#1] On macOS, is it possible to run 2 DNS Proxy Providers at the same time?

I've seen posts about this but never a definitive official answer. And I didn't see any mention in the WWDC sessions or online documentation about this.

I don't see how this could work correctly but…

[Q#2] On macOS, is it possible to run a DNS Proxy Provider and a DNS Settings at the same time?

From what I'm seeing, activating a DNS Settings (through a .mobileconfig file) deactivates a running DNS Proxy Provider. Activating a DNS Proxy Provider deactivates the DNS Settings.

Boost

Answer 1

DTS Engineer OP

Apple

Feb ’23

On macOS, is it possible to run 2 DNS Proxy Providers at the same time?

Yes.

I don't see how this could work correctly

DNS flows created by the first proxy are seen by the second.

The gotcha here is that there’s no way to control the order in which the proxies are loaded.

On macOS, is it possible to run a DNS Proxy Provider and a DNS Settings at the same time?

I don’t know.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

this_username_did_not_exist OP

Feb ’23

DNS flows created by the first proxy are seen by the second. The gotcha here is that there’s no way to control the order in which the proxies are loaded.

It looks to me that the random order is only one of the issues.

Let's imagine a solution is found to fix the loading order.

Those DNS flows created by the fist proxy can be DNS-over-HTTPS or DNS-over-TLS flows and none of these matches the description of the flows provided to a DNS proxy provider: "Each flow corresponds to a socket opened by an app to UDP port 53 or TCP port 53.". So, the second proxy provider would not see the DNS flows created by the first proxy.

If we accumulate the order randomness and the fact that the classic UDP flows may not be seen at all by the second DNS proxy provider, I don't think this can be considered as working correctly.

Am I missing something?

Ref. https://developer.apple.com/documentation/networkextension/nednsproxyprovider?language=objc

0

Answer 3

DTS Engineer OP

Apple

Feb ’23

So, the second proxy provider would not see the DNS flows created by the first proxy.

Correct.

I don't think this can be considered as working correctly.

I think this is an example of Working as Designed™, where the design doesn’t meet your requirements. You should feel free to file a bug about that, explaining your requirements and why the current design doesn’t work for you.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

VeeraSwamy OP

Feb ’23

On iOS, is it possible to run 2 DNS Proxy Providers at the same time?

0

Answer 5

DTS Engineer OP

Apple

Feb ’23

I can’t see why not, but I’ve no direct experience with that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

DTS Engineer OP

Apple

Feb ’23

Upthread, this_username_did_not_exist wrote:

On macOS, is it possible to run a DNS Proxy Provider and a DNS Settings at the same time?

to which I replied:

I don’t know.

I’ve since researched this and confirmed that, no, it’s not possible to run these at the same time. These facilities — the NE DNS proxy provider and the DNS Setting (com.apple.dnsSettings.managed) payload — are mutually exclusive. Enabling one disables the other.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1