How to redirect DNS requests to custom resolver.

Question

iTinkerBell1988 OP

Created Mar ’17

Replies 14

Boosts 0

Views 8.9k

Participants 9

Hi, everyone.

I am trying to override dns resolver settings in my app.

I used NEVPNManager to install a personal vpn and then used onDemandRules to set specific dns servers.

So far my code works for some domains.

Below is my code.

When I put "*.com" in matchDomains, it works perfectly.

But what I wnat to do is to redirect all dns queries to specific dns server.

I tried empty matchDomains([]) and empty string([""]).

I also tried wildcard expression like ["*"] and ["*.*].

So far I had no success.

It's been a few days and I still can't figure it out.

Can anybody tell me what I am missing here?

Thanks in advance.

let manager = NEVPNManager.sharedManager()
manager.loadFromPreferencesWithCompletionHandler { error in
    if let vpnError = error {
        print("vpn error in loading preferences : \(vpnError)")
        return
    }
   
    if manager.protocolConfiguration == nil {
        let myIPSec = NEVPNProtocolIPSec()
        myIPSec.username = "username"
        myIPSec.serverAddress = "server address"
        myIPSec.passwordReference = self.getPersistentRef()
        myIPSec.authenticationMethod = NEVPNIKEAuthenticationMethod.SharedSecret
        myIPSec.sharedSecretReference = self.getPersistentRef()
        myIPSec.useExtendedAuthentication = true
       
        manager.protocolConfiguration = myIPSec
        manager.localizedDescription = "myDNS"
       
        let evaluationRule = NEEvaluateConnectionRule(matchDomains: ["*.com"], andAction: NEEvaluateConnectionRuleAction.ConnectIfNeeded)
        evaluationRule.useDNSServers = ["***.***.***.***"]
       
        let onDemandRule = NEOnDemandRuleEvaluateConnection()
        onDemandRule.connectionRules = [evaluationRule]
        onDemandRule.interfaceTypeMatch = NEOnDemandRuleInterfaceType.Any
       
        manager.onDemandRules = [onDemandRule]
        manager.onDemandEnabled = true
        manager.enabled = true
       
        manager.saveToPreferencesWithCompletionHandler { error in
            if let vpnError = error {
                print("vpn error in saving preferences : \(vpnError)")
                return
            }
        }
    }
}

Boost

Answer 1

ssakthivel85 OP

Oct ’17

Hi,

Did you get answer to this? I also want to do the same to redirect all DNS requests to DNS server. But I am able to do only with *.com. Can we redirect all the request to DNS server using ondemand evaluate connection rule.

Thanks

0

Answer 2

DTS Engineer OP

Apple

Oct ’17

I also want to do the same to redirect all DNS requests to DNS server.

You should definitely look at

NEDNSProxyProvider

rather than trying to do it via the VPN subsystem.

NEDNSProxyProvider

was specifically designed for this task.

There’s some basic background on this facility in WWDC 2017 Session 707 Advances in Networking, Part 1. While there’s no formal documentation on this yet, there’s good reference documentation in the various headers, namely:

```
<NetworkExtension/NEDNSProxyManager.h>
```
```
<NetworkExtension/NEDNSProxyProvider.h>
```

<NetworkExtension/NEDNSProxyProviderProtocol.h>

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 3

ssakthivel85 OP

Oct ’17

Thanks for your help on this. I am going to look into the reference documentation in the headers. Could you please clarify whether NEDNSProxyProvider is enabled for all the developers or only for enterprise developers.

0

Answer 4

DTS Engineer OP

Apple

Oct ’17

Could you please clarify whether NEDNSProxyProvider is enabled for all the developers or only for enterprise developers.

All developers.

However, I think the question you meant to ask is whether

NEDNSProxyProvider

can be deployed to all devices (as opposed to some of the other Network Extension providers, which are limited to managed or supervised devices). I’m going to check on that and get back to you.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 5

adam48 OP

Oct ’17

+1 on this. We have essentially been using the NEPacketTunnelProvider as a DNS proxy for some time, and have run into a ton of Apple-acknowledged bugs because of the routing we are using. It would be great to switch over to the official implementation of this, but supervision being required would obviously be a nonstarter, and MDM would not be ideal either.

0

Answer 6

DTS Engineer OP

Apple

Oct ’17

[Can]
NEDNSProxyProvider
… be deployed to all devices (as opposed to some of the other Network Extension providers, which are limited to managed or supervised devices).

I’ve just confirmed that, as things currently stand,

NEDNSProxyProvider

is limited to supervised devices. We have a bug on file (r. 34843801) requesting that this restriction be lifted. I suspect that this will happen but, as per usual, I can’t make any specific promises about that, or about the timeline for this change. It certainly wouldn’t hurt for each of you to file your own bug describing your use case, how this restriction is affecting you, and what workarounds you’ve resorted to.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 7

ssakthivel85 OP

Oct ’17

oops. This is little disappointing. I have logged a bug (r34930412) . Let's see how it goes. Really it will be difficult to handle DNS packets through VPN subsystem or tunnel provider.It will be much better if we get access to this api for all the devices soon.

0

Answer 8

328475380936 OP

Nov ’17

Hi how did the bug go with Apple go?

We are implementing a similar thing for our app and facing the same challenges. It seems silly from a security standpoint that we have to resort to tricks moving network activity off the device or launching fake DNS servers versus simply using the NEDNSProxyManager solution.

0

Answer 9

DTS Engineer OP

Apple

Nov ’17

ssakthivel85’s bug (r. 34930412) was closed as a duplicate of another developer’s bug (r. 34843801). I can’t give any more details beyond the fact that all shipping and seeded releases still have this restriction, so any change will have to come in a later release.

It seems silly from a security standpoint that we have to resort to tricks moving network activity off the device or launching fake DNS servers versus simply using the NEDNSProxyManager solution.

That’s my general feeling as well, but it takes time to make changes like this.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 10

nooges OP

Jun ’18

Has there been any updates on if this bug has been fixed and is available in a recent release?

0

Answer 11

robmaceachern OP

Jun ’18

Hi Quinn,

Do you know if the situation with NEDNSProxyProvider on non-supervised devices has changed in iOS 12?

0

Answer 12

DTS Engineer OP

Apple

Jul ’18

Do you know if the situation with NEDNSProxyProvider on non-supervised devices has changed in iOS 12?

My understanding is that it has not )-:

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 13

idogoldb OP

Oct ’18

Hi eskimo, Has there been any progress on the NEDNSProxyProvider subject for non-supervised devices?

0

Answer 14

DTS Engineer OP

Apple

Nov ’18

Has there been any progress on the NEDNSProxyProvider subject for non-supervised devices?

No )-:

One thing you can do here is file your own bug report about this, asking it to be dup’d to the lead bug here (r. 34843801). Once you do that you’ll be able to see the status of the lead bug (not much status, just Open/Closed, but that’s better than nothing) and thus you won’t need to poll this thread.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0