I have a VPN configuration that starts a PacketTunnelProvider extension. In there I set the DoH server url and start / stop everything pretty straight forward.
I want to exclude certain domains, such as e.g. "google.com" or "apple-dns.net" to lower my traffic on the DoH server.
I tried a couple of variations of onDemand rules yet they all don't work for me. Is there a way how I can only route DNS requests towards my DoH server for all domains except custom defined domains?
Examples I've tried thus far
I spare the boilerplate code for creating the NETunnelProviderManager before and setting the rules + isOnDemandEnabled flag for the following examples except the first one:
1
// create the NETunnelProviderManager
let evaluationRule = NEOnDemandRuleEvaluateConnection()
let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: neverConnect)
evaluationRule.connectionRules = [ignoreDomainRule]
manager.onDemandRules = evaluationRule
manager.isOnDemandEnabled = true
2
let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: neverConnect)
[ignoreDomainRule, NEOnDemandRuleConnect()]
3
let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: connectIfNeeded)
ignoreDomainRule.useDNSServers = ["8.8.8.8"]
[ignoreDomainRule, NEOnDemandRuleConnect()]
// or [ignoreDomainRule]
4
let disconnectRule = NEOnDemandRuleDisconnect()
disconnectRule.dnsSearchDomainMatch = ["apple.com"]
[disconnectRule, NEOnDemandRuleConnect()]
5
let evaluationRule = NEOnDemandRuleEvaluateConnection()
let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: neverConnect)
let connectRule = NEEvaluateConnectionRule(matchDomains: [""], andAction: connectIfNeeded)
evaluationRule.connectionRules = [connectRule]
I don’t see any way for on-demand rules to help you here. Rather, I’d look to the properties within NEDNSOverHTTPSSettings
itself (well, more accurately, the NEDNSSettings
super class).
However, I don’t think that’ll help either. When you start your packet tunnel, does it become the default route? If so, its DNS settings apply and AFAICT there’s no way to exclude specific domains. That is, there’s no opposite of the matchDomains
property.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"