Webkit generated flow management using DNSProxy

upd: I tried to defer the response for webkit generated flows in NEFilterDataProvider but that didn't work well because handleNewFlow method would not support async operations.

Additionally I tried to add a DNS lookup for flows that are not registered (first connection, when the DNS Proxy hasn't yet made a decision whether the domain is blocked or not), but I assume it didn't work for the same reason. Just ignoring webkit generated flows is no help because they're are just set to NEFilterNewFlowVerdict.allow() by default then.

question: Is it even possible to achieve this goal? And would it work if I form custom response packets for blocked domains (let's say add remediation page ip address) in DNS Proxy target?

What is the reason you need to use NEDNSProxyProvider in this workflow? If you filter WebKit flows with just NEFilterDataProvider and NEFilterControlProvider what functionality is missing that you need to include NEDNSProxyProvider?

Matt Eaton - Networking

I use NEDNSProxyProvider for resolving domains using specified DNS resolvers. When I first started the project, I tried to implement the same functionality just using Content Filter Provider, but that didn’t work because NEFilterDataProvider didn’t support async operations

In case the requested domain is not filtered by DNSProxy, the user is able to visit requested page, but if it's filtered, the flow just freezes and the page will never load for user. But I wanted to add proper handling and display block page. I use NEDNSProxyProvider for resolving domains using specified DNS resolvers

Thank you, I believe I understand now. So it sounds like your WebKit flows are not using the system resolver in this case and are possibly freezing because they are not pointed at your specific resolver for resolution, is that correct? I'm not sure if this is an option but if you use NEDNSOverHTTPSSettings, does that provide resolution for your flows? Do you happen to have any more logs on what might be happening when this takes place?

Matt Eaton - Networking

The problem with this is that my NRDNSProxyProvider uses multiple DNS resolvers at the same time (up to three), depending on the user policy, and the way I am using this functionality is by reading and writing datagrams from intercepted flows within NRDNSProxyProvider. If let's say one out of three resolvers returned blocked subnets, then I return nxdomain in datagrams for this flow.

The problem here is that WebKit generated flows are handled in Content Filter before DNSProxy, which means that if I allow it by default, the flow is supposedly will go through, but because DNSProxy returns nxdomain for the flow, it freezes. However when I do the same thing with the socket flow, everything works well because socket flow handled in Content Filter after DNSProxy returned datagrams for the same flow.

Let's say I have google.com blocked. In this case if I will use some third party app like ICS Dig or Network Tools to send a request for specified domain, I will receive response status nxdomain, but I will try to do the same in Safari, the flow will freeze instead because Content Filter allowed it before DNSProxy blocked it

Let's decouple this a bit. If you do not use the Content Filter and just use NEDNSProxyProvider, does it handle WebKit / Safari flows properly? Are you able to resolve these flows?

Also, regarding:

Let's say I have google.com blocked. In this case if I will use some third party app like ICS Dig or Network Tools to send a request for specified domain, I will receive response status nxdomain, but I will try to do the same in Safari, the flow will freeze instead because Content Filter allowed it before DNSProxy blocked it

Are you using NEDNSProxyProvider as a mechanism to block traffic? If so, what is your content filter doing?

Matt Eaton - Networking

Let's decouple this a bit. If you do not use the Content Filter and just use NEDNSProxyProvider, does it handle WebKit / Safari flows properly? Are you able to resolve these flows?

Yes, it works with the content filter on as well. Logs are showing proper flows handling from NEDNSProxyProvider.

Are you using NEDNSProxyProvider as a mechanism to block traffic? If so, what is your content filter doing?

I needed Content Filter to handle IP-connections or connections that don't have a hostname. At first the app didn't have Content Filter Providers, but then I soon realised that I needed it to handle traffic that's not intercepted by the NEDNSProxyProvider

It seems like the issue was also related to the way I am handling packets in DNSProxy as the packet comes in hex form, it was possible to compare the values of expected packet hex and the actual one. It was found that my code wasn't properly serializing the packets from structure because of the name pointers.

After it was resolved I was able to add immediate block with just returning proper packet for nxdomain. Even though I am still working on remediation, I think it should work similarly