[tags:wwdc20-10207]

Can you add link to the code-sample showed in the video? Thanks

Hello, I m network security engineer, my question is regarding the dns default configuration on IOS v14 : DNS encryption is not activated by default ? as per my understanding there is several ways to encrypt my DNS requests(DoT & DoH) : VPN, MDM profile, NEDNSSettingsManager( via IOS app) or integrated in the application code. i need to understand the order for those options to handle my DNS requests and which of them overides the others Thnx

Is it possible to have some listener that detects when the user enables or disables the DNS settings that were saved by the DNSSettingsManager? This can especially be handy on mac, where the app may be visible when the user enables the settings in System Preferences. Then it is possible to give immediate feedback that the setting has been applied correctly.

Can an app with the default privacy context NWParameters.PrivacyContext.default... override the selected System Wide DNS set by another app? Also, are there any system queries that are not passed through the System Wide DNS? These weren't made abundantly clear in the session looking back at it. Thank you.

Is it possible to create a link to the DNS settings (created by NEDNSSettingsManager) directly from the app? That would be more user-friendly than explaining the user how to get there. The question applies to iOS and macOS.

Hello, Would like to know how the new Encrypted DNS (DoT / DoH) settings functionality affects applications that leverage the NEDNSProxyProvider Network Extension. Specifically, would the flow still be presented as before (unencrypted), or does the Encrypted DNS effectively bypass this by keeping the encryption? Thanks NC

Is there any way to update DOH settings (e.g. NEDNSSettingsManager.dnsSettings.serverURL) after the extension was enabled? Currently, saveToPreferences doesn't reload current settings and they will be reloaded only if you will enable/disable extension in the settings. Maybe it is a bug and will be fixed in the future betas?

Is there any way to detect if the user has enabled DOH or DOT by another app? If there is no built-in feature then maybe make a special network request that will indicate that?

Will DNSCrypt eventually be supported in addition to DoH for encrypted DNS?

In a situation where a user has a DNS configuration at system level (i.e., using MDM or an app which adds them to preferences, user enables this DNS in settings app) AND is using another app which has an app-specific, in-app DNS configuration which of the two DNS services is being used by the latter app?

What is the interaction between NEDNSSettingsManager and NEPacketTunnelProvider? Do the dns settings provided by the packet tunnel provider supersede the ones provided by the dns settings manager, or vice versa? What about MDM configured DoT/DoH and packet tunnel provider supplied settings? is there a way for the packet tunnel provider to query the currently configured dns servers, regardless of their source?

If we configure encrypted DNS just for our app and for all network connections within our app, does this also apply to WKWebView too? Thanks in advance.

Since the sample code was provided in Swift, I want to confirm that the following code in Objective-C will configure NSURLSession to use encrypted DNS and that you can have more than one fallback resolver: nw_privacy_context_t defaultPrivacyContext = NW_DEFAULT_PRIVACY_CONTEXT; nw_endpoint_t dohResolverEndpoint = nw_endpoint_create_url(https://dnsserver.example.net/dns-query); nw_endpoint_t v4ResolverEndpoint = nw_endpoint_create_host(1.1.1.1, 443); nw_endpoint_t v6ResolverEndpoint = nw_endpoint_create_host(2606:4700:4700::1111, 443); nw_resolver_config_t fallbackResolvers = nw_resolver_config_create_https(dohResolverEndpoint); nw_resolver_config_add_server_address(fallbackResolvers, v4ResolverEndpoint);tt nw_resolver_config_add_server_address(fallbackResolvers, v6ResolverEndpoint); nw_privacy_context_require_encrypted_name_resolution(defaultPrivacyContext, true, fallbackResolvers);

I believe there are legitimate reasons for education and enterprise admins to disallow encrypted DNS on their networks, or to force a specific type and server that provides encrypted DNS. Just one example is to identify clients that are part of botnets. Are there mechanisms in place to support such scenarios?