iOS 9.3 beta VPN On Demand ignores useDNSServers

Hello,


I'm experiencing some problems related to a bug present in all iOS 9.3 betas (including beta 7). I have submitted a bug report to Apple, but there's no response so far, so I've decided to post it here and ask if anyone else got affected by this. I'm also counting that maybe someone from Apple will see this information. It's important for me, because, if not fixed, it will cause some of my apps to stop working properly, and it seems there's no way around it.


More information about the bug:


For VPN OnDemand connection profile ("ConnectIfNeeded"), when the VPN should be triggered for specified list of domains ("matchDomains") with additional condition set via "useDNSServers", the connection to VPN is being triggered even when DNS servers return a proper result. It appears that iOS 9.3 ignores the fact that the useDNSServers is specified and triggers the VPN without checking the DNS.


Steps to Reproduce: Create and install a NEVPNManager object instance configured this way (below a print of NEVPNManager configuration):


action = evaluate-connection
interfaceTypeMatch = any
connectionRules = (
     {
          action = connect-if-needed
          matchDomains = (
               internal.vpn,
          )
          useDNSServers = (
               10.10.22.1,
               10.10.23.1,
          )
     },
)

Expected Results:

When connecting to "test.internal.vpn" in Safari or any third party app, because the DNS servers 10.10.22.1 and 10.10.23.1 return a proper "IN A" record when resolving the domain test.internal.vpn, the VPN should not be triggered.

Actual Results:

Current beta of iOS seems to ignore the useDNSServers value set in the NEVPNManager object and does not use the specified list of DNS servers for domain resolution. The VPN is triggered every time for the domains given in "metchDomains" array when it matches the requested domain. According to the documentation, the VPN should be triggered only when the specified DNS servers (list in "useDNSServers") return an error (for instance NXDOMAIN response, or they are not reachable at all, which is not the case in my scenario).

Version:

All iOS 9.3 beta builds released to date

Notes:

The code that worked properly and as expected on all iOS 9 releases (iOS 9.0 - 9.2.1) now doesn't work at all. This brakes compatibility across all devices that will receive iOS 9.3 update if the bug is not fixed. We've tested this on multiple devices and on both Wi-Fi and cellular networks.

Configuration:

iPhone 6S 64GB Wi-Fi + Cellular, iPad Mini 3 Wi-Fi + Cellular, iPhone 5S 32GB Wi-Fi + Cellular

Any advice will be grately appreciated.

Replies

Any response or resolution? I seem to be having a simular issue.

Hi same problem here. Still works with anyconnect from cisco but not with standard apple vpn client

same problem here. Just test 9.3.2 beta 3, not fixed.

just test 9.3.2 beta 4, not fixed.

This bug has been opened for a long time. Is there any Apple staff who can help resolve it?

The bug is still present in iOS 9.3.2 public release.


We've tried to ask for help through Apple's Regional Developer Relations Manager. He forwarded the problem to the engineering teams and there's no response since then.


We really need someone from Apple to look into this. It appears that it's not an isolated problem and this is affecting more developers. The bug is clearly there...

AppleCare also forward my problem to engineering team several weeks ago, no response yet.

We can now confirm that the bug is still NOT RESOLVED in iOS 9.3.3 beta 1 released today.

We can now confirm that the bug is still NOT RESOLVED in iOS 9.3.3 beta 2.

I can confirm it, too.

Usually when big companies ignore vulnerabilities like this it's because the government is either asking or forcing them to due to their profound passion for surveillance.

I can confirm the bug is NOT RESOLVED on iOS 10 beta 1.

We can now confirm that the bug is still NOT RESOLVED in iOS 9.3.3 beta 4, as well as in iOS 10 beta 1.

No proper response from Apple for 4 months now.

iOS 10 beta 2 fixed this problem finally.

Now let's hope this will also be fixed in final release of iOS 9.3.3.