How to redirect DNS requests to custom resolver.

Hi, everyone.

I am trying to override dns resolver settings in my app.

I used NEVPNManager to install a personal vpn and then used onDemandRules to set specific dns servers.

So far my code works for some domains.

Below is my code.

When I put "*.com" in matchDomains, it works perfectly.

But what I wnat to do is to redirect all dns queries to specific dns server.

I tried empty matchDomains([]) and empty string([""]).

I also tried wildcard expression like ["*"] and ["*.*].

So far I had no success.

It's been a few days and I still can't figure it out.

Can anybody tell me what I am missing here?

Thanks in advance.

let manager = NEVPNManager.sharedManager()
manager.loadFromPreferencesWithCompletionHandler { error in
    if let vpnError = error {
        print("vpn error in loading preferences : \(vpnError)")
        return
    }
   
    if manager.protocolConfiguration == nil {
        let myIPSec = NEVPNProtocolIPSec()
        myIPSec.username = "username"
        myIPSec.serverAddress = "server address"
        myIPSec.passwordReference = self.getPersistentRef()
        myIPSec.authenticationMethod = NEVPNIKEAuthenticationMethod.SharedSecret
        myIPSec.sharedSecretReference = self.getPersistentRef()
        myIPSec.useExtendedAuthentication = true
       
        manager.protocolConfiguration = myIPSec
        manager.localizedDescription = "myDNS"
       
        let evaluationRule = NEEvaluateConnectionRule(matchDomains: ["*.com"], andAction: NEEvaluateConnectionRuleAction.ConnectIfNeeded)
        evaluationRule.useDNSServers = ["***.***.***.***"]
       
        let onDemandRule = NEOnDemandRuleEvaluateConnection()
        onDemandRule.connectionRules = [evaluationRule]
        onDemandRule.interfaceTypeMatch = NEOnDemandRuleInterfaceType.Any
       
        manager.onDemandRules = [onDemandRule]
        manager.onDemandEnabled = true
        manager.enabled = true
       
        manager.saveToPreferencesWithCompletionHandler { error in
            if let vpnError = error {
                print("vpn error in saving preferences : \(vpnError)")
                return
            }
        }
    }
}
Up vote post of iTinkerBell1988 Down vote post of iTinkerBell1988
8.5k views
Posted by
iTinkerBell1988
Reply
Add a Comment

Replies

Hi,


Did you get answer to this? I also want to do the same to redirect all DNS requests to DNS server. But I am able to do only with *.com. Can we redirect all the request to DNS server using ondemand evaluate connection rule.


Thanks

Posted by
ssakthivel85
Up vote reply of ssakthivel85 Down vote reply of ssakthivel85

  • Were you able to redirect DNS requests? I've done the same code as above, still not working.

    anismansuri63
Add a Comment

I also want to do the same to redirect all DNS requests to DNS server.

You should definitely look at 

NEDNSProxyProvider
rather than trying to do it via the VPN subsystem. 
NEDNSProxyProvider
was specifically designed for this task.

There’s some basic background on this facility in WWDC 2017 Session 707 Advances in Networking, Part 1. While there’s no formal documentation on this yet, there’s good reference documentation in the various headers, namely:

  • <NetworkExtension/NEDNSProxyManager.h>
  • <NetworkExtension/NEDNSProxyProvider.h>
  • <NetworkExtension/NEDNSProxyProviderProtocol.h>

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks for your help on this. I am going to look into the reference documentation in the headers. Could you please clarify whether NEDNSProxyProvider is enabled for all the developers or only for enterprise developers.

Posted by
ssakthivel85
Up vote reply of ssakthivel85 Down vote reply of ssakthivel85
Add a Comment

Could you please clarify whether NEDNSProxyProvider is enabled for all the developers or only for enterprise developers.

All developers.

However, I think the question you meant to ask is whether 

NEDNSProxyProvider
can be deployed to all devices (as opposed to some of the other Network Extension providers, which are limited to managed or supervised devices). I’m going to check on that and get back to you.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

+1 on this. We have essentially been using the NEPacketTunnelProvider as a DNS proxy for some time, and have run into a ton of Apple-acknowledged bugs because of the routing we are using. It would be great to switch over to the official implementation of this, but supervision being required would obviously be a nonstarter, and MDM would not be ideal either.

Posted by
adam48
Up vote reply of adam48 Down vote reply of adam48
Add a Comment

[Can] 

NEDNSProxyProvider
… be deployed to all devices (as opposed to some of the other Network Extension providers, which are limited to managed or supervised devices).

I’ve just confirmed that, as things currently stand, 

NEDNSProxyProvider
is limited to supervised devices. We have a bug on file (r. 34843801) requesting that this restriction be lifted. I suspect that this will happen but, as per usual, I can’t make any specific promises about that, or about the timeline for this change. It certainly wouldn’t hurt for each of you to file your own bug describing your use case, how this restriction is affecting you, and what workarounds you’ve resorted to.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

oops. This is little disappointing. I have logged a bug (r34930412) . Let's see how it goes. Really it will be difficult to handle DNS packets through VPN subsystem or tunnel provider.It will be much better if we get access to this api for all the devices soon.

Posted by
ssakthivel85
Up vote reply of ssakthivel85 Down vote reply of ssakthivel85
Add a Comment

Hi how did the bug go with Apple go?


We are implementing a similar thing for our app and facing the same challenges. It seems silly from a security standpoint that we have to resort to tricks moving network activity off the device or launching fake DNS servers versus simply using the NEDNSProxyManager solution.

Posted by
328475380936
Up vote reply of 328475380936 Down vote reply of 328475380936
Add a Comment

ssakthivel85’s bug (r. 34930412) was closed as a duplicate of another developer’s bug (r. 34843801). I can’t give any more details beyond the fact that all shipping and seeded releases still have this restriction, so any change will have to come in a later release.

It seems silly from a security standpoint that we have to resort to tricks moving network activity off the device or launching fake DNS servers versus simply using the NEDNSProxyManager solution.

That’s my general feeling as well, but it takes time to make changes like this.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Has there been any updates on if this bug has been fixed and is available in a recent release?

Posted by
nooges
Up vote reply of nooges Down vote reply of nooges
Add a Comment

Hi Quinn,


Do you know if the situation with NEDNSProxyProvider on non-supervised devices has changed in iOS 12?

Posted by
robmaceachern
Up vote reply of robmaceachern Down vote reply of robmaceachern
Add a Comment

Do you know if the situation with NEDNSProxyProvider on non-supervised devices has changed in iOS 12?

My understanding is that it has not )-:

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi eskimo, Has there been any progress on the NEDNSProxyProvider subject for non-supervised devices?

Posted by
idogoldb
Up vote reply of idogoldb Down vote reply of idogoldb
Add a Comment

Has there been any progress on the NEDNSProxyProvider subject for non-supervised devices?

No )-:

One thing you can do here is file your own bug report about this, asking it to be dup’d to the lead bug here (r. 34843801). Once you do that you’ll be able to see the status of the lead bug (not much status, just Open/Closed, but that’s better than nothing) and thus you won’t need to poll this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment