Hi, TLDR: On iOS, when my PacketTunnel is running, can I exclude DNS requests from going into the tunnel?
I have a test app, using Apple's AsyncDNSResolver, that makes a DNS call and it works when the tunnel is not running.
If the tunnel is running it times out after 30 seconds and I get the error -65568.
Here's how I'm setting up the tunnel
func setup(tunnelRemoteAddress: String) {
let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: tunnelRemoteAddress)
settings.ipv4Settings = NEIPv4Settings(addresses: [tunnelRemoteAddress], subnetMasks: ["255.255.255.255"])
settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()]
let proxySettings = NEProxySettings()
proxySettings.httpEnabled = true
proxySettings.httpServer = NEProxyServer(address: ProxyServerConfiguration.host, port: ProxyServerConfiguration.port)
proxySettings.httpsEnabled = true
proxySettings.httpsServer = NEProxyServer(address: LocalProxyServerConfiguration.host, port: LocalProxyServerConfiguration.port)
proxySettings.excludeSimpleHostnames = true
proxySettings.exceptionList = nil
let dnsSettings = NEDNSSettings(servers: ["8.8.8.8"])
settings.dnsSettings = dnsSettings
settings.proxySettings = proxySettings
setTunnelNetworkSettings(settings) { error in
// ...
}
}
I've tried all combinations of setting/excluding the NEDNSSettings but the DNS call always fails when the tunnel is running.
Thanks for any help.
using Apple's AsyncDNSResolver
Technically that’s not an Apple thing but an open source thing. But given that you’re using it on an Apple platform, it should just be a wrapper around DNS-SD, which is our lowest-level interface to the system DNS resolver.
can I exclude DNS requests from going into the tunnel?
You can’t, as such. Packet tunnel providers typically operation in destination IP mode [1]. If your provider’s tunnel claims the route to the IP address of the DNS server, that traffic will go over your tunnel.
In your case you’re claiming the default route and thus it’s likely that DNS traffic will go over your tunnel [2].
If the tunnel is running it times out after 30 seconds and I get the error -65568.
Is your packet tunnel provider receiving DNS request packets? Does it do anything useful with them?
I get the feeling that you’re trying to use a packet tunnel provider for something that’s not a VPN tunnel. DTS doesn’t support that, as explained in TN3120 Expected use cases for Network Extension packet tunnel providers.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] In managed environments you can configure them to use source application mode, that is, per-app VPN, but I don’t think that’s relevant to your setup.
[2] Although not guaranteed. It’s not uncommon for the gateway on a home network to configure clients to use the gateway itself as the DNS server. In that case the traffic will go directly, because the DNS server is on a directly connected network.
Having said that, if your tunnel configures DNS settings then the fact that it’s the default route will make those settings active. So in your example, you’ve configured DNS to use 8.8.8.8 and that will always go over your tunnel.