Simultaneous Use of PacketTunnelProvider and DNSProxyProvider extensions

App & System Services Networking
rodeonzxc
rodeonzxc OP
Created 3w
Replies 3
Boosts 0
Views 77
Participants 2

Hi! I'm working on a solution (iOS 18) that uses Network Extensions PacketTunnelProvider and Content Filter. Currently I'm trying to integrate it with another extension – DNSProxyProvider. My goal is to process dns queries and use resolved ips and names for additional routing inside of the packet tunnel. I'm running into a major issue: whenever both VPN and DNS proxy are active simultaneously, the device completely loses internet connectivity — no traffic goes through, and DNS resolution seems to stop working entirely. I know about the mdm supervision requirement to use DNSProxyProvider and that's covered as I work with a managed device and install a DNS proxy profile, here's how its .mobileconfig file looks like: The DNS proxy itself works fine when working by itself (without VPN being turned on), as I implemented it that it successfully processes DNS packets flows while collecting information about domains etc, and everything works perfectly. Problems begin when using VPN at the same time. I'm aware that tunnel settings include dns related options that can affect this, but I haven't had much luck with tweaking them. Here's how they look right now for reference:

let settings: NEPacketTunnelNetworkSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "240.0.0.1")
        
//        let dnsSettings = NEDNSSettings(servers: "8.8.8.8,8.8.4.4".components(separatedBy: ","))
//        dnsSettings.matchDomains = [""]
//        settings.dnsSettings = dnsSettings
        
settings.proxySettings = nil
        
        /* ipv4 settings */
 let ipv4Settings = NEIPv4Settings(addresses: ["240.0.0.2"], subnetMasks: ["255.255.255.0"])
        
ipv4Settings.includedRoutes = [NEIPv4Route.default()]
settings.ipv4Settings = ipv4Settings

/* MTU */
settings.mtu = 1500
        
return settings

I've tried excluding some dns related ip routes and dns settings shenanigans but nothing. I haven't found any information that might suggest that using both of these extensions at the same time doesn't work, on the contrary, this page in the official documentation about the expected use of packet tunnel provider the expected use of packet tunnel provider, as it talks about the fact that you should not use it for interception of all of DNS traffic, as the use of DNSPRoxyProvider (or dns settings) are built for that, which in my mind, suggests that there should be no problem with using them both and just splitting the dns traffic handling to the proxy. Will be thankful for any help!

Replies  3
Boosts  0
Views  77
Participants  2
rodeonzxc
rodeonzxc OP
3w

In addition, if I uncomment the dns settings in my tunnel settings setup, and use PacketTunnel and DNSProxy like this, the internet does work, but as I understand it that's thanks to the tunnel taking over the dns handling, therefore the proxy doesn't receive anything. Based on this behavior I'm not that sure if it's really possible to use both the tunnel and dns proxy in the way I want to.

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
3w

I’m a bit lost here. It looks like you’re building three components:

  • Packet tunnel provider

  • Content filter

  • DNS proxy provider

Is that right? That’s 8 possible combinations. Which ones work and which ones fail?

ps You wrote:

I know about the mdm supervision requirement

Supervision is also a requirement for context filter.

And in both case this is only necessary for distribution-signed builds. During bring up I recommend that you development-signed builds, which avoids the need for supervision and lets you configure you content filter and DNS proxy programmatically, avoiding all that messing around with configuration profiles.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
rodeonzxc
rodeonzxc OP
2w

Is that right? That’s 8 possible combinations. Which ones work and which ones fail?

That's right, the solution uses (at least tries to) those three components, although we can omit Content Filter in the context of this problem, because I've already confirmed that its presence doesn't make a difference. The problem I'm facing is with the use of Packet Tunnel Provider and DNS Proxy Provider, because separately they do work (including in a pair with Content Filter), but after turning Packet Tunnel on with a running DNS Proxy, the internet connection fully drops – no new flows in the DNS Proxy and no packets going through the tunnel. All of the further context is provided in the original post.

0
Simultaneous Use of PacketTunnelProvider and DNSProxyProvider extensions
First post date Last post date
 
 
Q