Custom proxying with NEDNSProxyProvider

On the [documentation page](Implement a completely custom DNS proxying protocol) it says

For example, a DNS proxy provider might: Implement a completely custom DNS proxying protocol

I would like to add some filtering logic to the NEDNSProxyProvider (for example, return nxdomain if the flow is not passing the filtering process). Is it possible to implement with NEDNSProxyProvider? It also says that

func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool

from NEDNSProxyProvider returns a Boolean value set to true if the proxy implementation decides to handle the flow, or false if it instead decides to terminate the flow link. Does it mean that the filtering logic could be added here by just returning false for the flows that are not matching the rules?

Because I first tried to handle UDP flows like this in handleNewFlow(_ flow: NEAppProxyUDPFlow) function and form my own packets in connection.transferData, by first passing empty Data object and then by setting RCODE to 3, which is supposedly a nxdomain response code. However, both implementations didn't work: even though I was getting logs about handling failure, the flow was still able to go through.

try await flow.open(withLocalEndpoint: flow.localEndpoint as? NWHostEndpoint)
let datagrams = try await flow.readDatagrams()

let results = try await datagrams.parallelMap {
let connection = try DatagramConnection($0)
      return try await connection.transferData()
}
            
try await flow.writeDatagrams(results)
                        
flow.closeReadWithError(nil)
flow.closeWriteWithError(nil)

I am new to NEDNSProxyProvider and my networking knowledge is on a pretty basic level, so I would be very grateful to hear any suggestions. Thank you!

Answered by AndriiSulimenko in 792162022

Thank you for your response!

upd: I implemented custom filtering using datagrams for each flow (read datagrams for each flow and create custom packets for the response)

Does it mean that the filtering logic could be added here by just returning false for the flows that are not matching the rules?

No. If you return false, the process doing the DNS lookup with receive a failure. For the device to work correctly, your DNS proxy must handle all requests on all flows.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

Thank you for your response!

upd: I implemented custom filtering using datagrams for each flow (read datagrams for each flow and create custom packets for the response)

Custom proxying with NEDNSProxyProvider
 
 
Q