iOS VPN DNS Traffic can not be hijack

Question

icefire_wang OP

Created Jun ’23

Replies 1

Boosts 0

Views 1k

Participants 2

Here's the situation:

Our app implements a VPN service using NEPackTunnelProvider.

Recently, we noticed that when the DNS servers used in the WIFI environment are the same as those configured for the VPN, such as 8.8.8.8 and 8.8.4.4, DNS traffic will not pass through the VPN, which only occurs on iOS 16.

I think this is an optimization of the iOS system.

However, this creates a problem.

Our VPN server performs DNS resolution. If we use 8.8.8.8 and 8.8.4.4 for resolution and it fails, we will use our customer's internal DNS server for resolution, and then return the result to the client. For the client, it seems like the resolution was done with 8.8.8.8, but it's not actually.

Because iOS does not route traffic to 8.8.8.8 and 8.8.4.4 to the VPN, this causes our DNS resolution to fail.

Is there any method (such as a configuration option) to allow traffic to 8.8.8.8 and 8.8.4.4 to still go through the VPN?

Boost

Answer 1

DTS Engineer OP

Apple

Jun ’23

Recently, we noticed that when the DNS servers used in the Wi-Fi environment are the same as those configured for the VPN, such as 8.8.8.8 and 8.8.4.4, DNS traffic will not pass through the VPN, which only occurs on iOS 16.

This is almost certainly iOS 16’s implementation of the Discovery of Designated Resolvers Internet Draft.

Note To understand this you’ll also need to understand two other Internet Drafts:

Service binding and parameter specification via the DNS, which defines the SVCB resource record, and
Service Binding Mapping for DNS Servers, extends the SVCB standard to support the dns service type

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0