DoH for all domains except some specific ones

I have a VPN configuration that starts a PacketTunnelProvider extension. In there I set the DoH server url and start / stop everything pretty straight forward.

I want to exclude certain domains, such as e.g. "google.com" or "apple-dns.net" to lower my traffic on the DoH server.

I tried a couple of variations of onDemand rules yet they all don't work for me. Is there a way how I can only route DNS requests towards my DoH server for all domains except custom defined domains?

Examples I've tried thus far

I spare the boilerplate code for creating the NETunnelProviderManager before and setting the rules + isOnDemandEnabled flag for the following examples except the first one:

1

// create the NETunnelProviderManager
let evaluationRule = NEOnDemandRuleEvaluateConnection()

let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: neverConnect)

evaluationRule.connectionRules = [ignoreDomainRule]
manager.onDemandRules = evaluationRule
manager.isOnDemandEnabled = true

2

let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: neverConnect)

[ignoreDomainRule, NEOnDemandRuleConnect()]

3

let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: connectIfNeeded)
ignoreDomainRule.useDNSServers = ["8.8.8.8"]

[ignoreDomainRule, NEOnDemandRuleConnect()]
// or [ignoreDomainRule]

4

let disconnectRule = NEOnDemandRuleDisconnect()
disconnectRule.dnsSearchDomainMatch = ["apple.com"]

[disconnectRule, NEOnDemandRuleConnect()]

5

let evaluationRule = NEOnDemandRuleEvaluateConnection()

let ignoreDomainRule = NEEvaluateConnectionRule(matchDomains: ["apple.com"], andAction: neverConnect)

let connectRule = NEEvaluateConnectionRule(matchDomains: [""], andAction: connectIfNeeded)

evaluationRule.connectionRules = [connectRule]
Answered by DTS Engineer in 790715022

I don’t see any way for on-demand rules to help you here. Rather, I’d look to the properties within NEDNSOverHTTPSSettings itself (well, more accurately, the NEDNSSettings super class).

However, I don’t think that’ll help either. When you start your packet tunnel, does it become the default route? If so, its DNS settings apply and AFAICT there’s no way to exclude specific domains. That is, there’s no opposite of the matchDomains property.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I don’t see any way for on-demand rules to help you here. Rather, I’d look to the properties within NEDNSOverHTTPSSettings itself (well, more accurately, the NEDNSSettings super class).

However, I don’t think that’ll help either. When you start your packet tunnel, does it become the default route? If so, its DNS settings apply and AFAICT there’s no way to exclude specific domains. That is, there’s no opposite of the matchDomains property.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

DoH for all domains except some specific ones
 
 
Q