DNSProxy with configuration profile & MDM

I am trying to add DNSProxy configuration using .mobileconfig and MDM on supervised device. I have Content Filter payload in the same configuration file that works as expected, however I was unable to start my DNSProxy. My app has 3 extension targets for Filter Data/Control Providers and DNSProxy extension.

Here is my DNSProxy payload:

<dict>
			<key>AppBundleIdentifier</key>
			<string>my.app.bundle.id</string>
			<key>PayloadDescription</key>
			<string>Configures DNS proxy network extension</string>
			<key>PayloadDisplayName</key>
			<string>DNS Proxy</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.dnsProxy.managed.AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string>
			<key>PayloadType</key>
			<string>com.apple.dnsProxy.managed</string>
			<key>PayloadUUID</key>
			<string>AEE249BB-4F44-4ED9-912B-6A70CC0E01B6</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
			<key>ProviderBundleIdentifier</key>
			<string>my.app.bundle.id.DNS-Proxy-Extension</string>
		</dict>

Any thoughts on what I might be doing wrong?

Answered by AndriiSulimenko in 786047022

So, I removed all existing profiles from the device and added a new payload for DNS Proxy, that is similar to the one I added earlier. After that I created an empty project to test if it's going to work (NEDNSProxyProvider principal class file added to compile sources of the main target), and it worked as expected. DNS Proxy now is displayed as Running in System Settings.

And could you help me understand the work of the Content Filter in the following context. When I use the Network Tools app for testing ping commands for specified domains/IP addresses, the content filter (both socket and browser filtering enabled) is unable to intercept them. Is it the problem of sandbox restrictions? However, if I use DNSProxy with NEDNSManager which I tested before, I can intercept ping of the domains but not IP addresses, which is obvious. However, why is the content filter unable to intercept traffic from the Network Tools app?

I don’t see anything wrong with your configuration payload profile. Are you installing the profile via MDM? That’s a requirement, starting with iOS 15. See the Profile Availability table in com.apple.dnsProxy.managed.

And could you help me understand the work of the Content Filter in the following context.

Sure, but it’d be best if you started a new thread for that question. Tag it with Network Extension so that I see it.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, I was trying to install configuration payload profile via MDM. In this configuration profile I have two payloads (Content Filter and DNS Proxy). Content Filter works as expected, but not the DNS Proxy. That's why I had another post on my profile regarding async operations in Network Extension, as the initial idea of using DNS Proxy with specified resolver didn't work for me.

In this configuration profile I have two payloads … Content Filter works as expected, but not the DNS Proxy.

Interesting. Configuration profiles aren’t really me forte, but I am aware that folks do use them to configure DNS proxies. I mean, it’s the standard way to use a DNS proxy.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

So, I removed all existing profiles from the device and added a new payload for DNS Proxy, that is similar to the one I added earlier. After that I created an empty project to test if it's going to work (NEDNSProxyProvider principal class file added to compile sources of the main target), and it worked as expected. DNS Proxy now is displayed as Running in System Settings.

However, I have another question regarding DNS Proxy. Yesterday, I made it work in my main project with Content Filter and it worked as expected. Today after some testing (no changes were made to the project), the device is not functioning right. All flows are not going through even after removing all the filtering logic. And in safari I receive "Safari could not open the page because the server stopped responding". So I tried to isolate the problem and it seems that DNSProxy is the one that's not working properly, because Content Filter itself works properly. It says running in the System Settings for DNS Proxy and the principal class looks like this:

class DNSProxyProvider: NEDNSProxyProvider {

    override func startProxy(options:[String: Any]? = nil, completionHandler: @escaping (Error?) -> Void) {
        // Add code here to start the DNS proxy.
        completionHandler(nil)
    }

    override func stopProxy(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void) {
        // Add code here to stop the DNS proxy.
        completionHandler()
    }

    override func sleep(completionHandler: @escaping () -> Void) {
        // Add code here to get ready to sleep.
        completionHandler()
    }

    override func wake() {
        // Add code here to wake up.
    }

    override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {
        // Add code here to handle the incoming flow.
        return true
    }
}

But it still wouldn't work. So I tried to run the project that had only DNSProxy with default settings, the same problem there. Not sure what's causing this problem. Would be grateful to hear any thoughts

If you add a ‘first light’ log point to your initialiser, and then log points to all the methods shown in your snippet, which of them get called?

I explain the concept of a ‘first light’ log point, and a bunch of other relevant stuff, in Debugging a Network Extension Provider.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

The problem was on MDM level. Removing app from the phone was not actually removing it from the device, that's why I had some unexpected behaviour as Proxy running even though the app is uninstalled. Removing profile and reinstalling the app fixed the problem

DNSProxy with configuration profile &amp; MDM
 
 
Q