NEPacketTunnelProvider DNS Timeout

Greetings,


We have been strugling for some days implementing our VPN protocol over NEPacketTunnelProvider. It works as a split tunnel, that redirects some connections over it (it doesn't add the default route in the included routes list) but every DNS query must be redirected throught the tunnel.


The way we implement this is with 'matchDomains = [""]', and it should redirect every DNS query through the tunnel, making it the default.


But sometimes, after a reconnection, when the DNS server doesn't answer in time during normal use (internet browsing, chat, social media, etc...) iOS falls back to another DNS and doesn't use ours until the VPN is reconnected.


We would like to know how to avoid this behavior, and force the connection to go only over our servers, even if they never answer.


Thanks in advance.

We would like to know how to avoid this behavior, and force the connection to go only over our servers, even if they never answer.

I don’t think there’s any way you can force iOS to use a DNS server that’s not responding. Frankly, that sounds like a very strange requirement. If you’d like to see such support added in the future, you should make your case in an enhancement request that describes your requirements.

Why is it so important that DNS resolution goes through the VPN interface’s servers?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanks for your response eskimo.


The VPN we are using not only ensues that most traffic goes through it privately, but it also works as parental control, blocking the user from certain content/pages, it does so throught its DNS servers.


When the error triggers and the servers don't respond, the user can access theese pages freely, and even after a response, the DNS resolution seems to get cached if it failed once.


I know is not the best way to implement this functionality, but the server and the app especifications are not ours, so we are trying to make it work client-side.

it also works as parental control, blocking the user from certain content/pages, it does so throught its DNS servers.

Yeah, that’s what I suspected. I understand where you’re coming from here but this is definitely not the right approach. iOS already has infrastructure for this sort of thing (NetworkExtension filter providers to explicitly filter traffic, and DNS proxy providers to intercept all DNS requests), and trying to force this all into a packet tunnel provider is not something that’s going to work reliably.

The case your hitting is a perfect example of this. The VPN system was designed with the assumption that the user is not trying to subvert it. Thus all sorts of decisions were made to that run counter to your goals, and giving up on ‘broken’ DNS servers is just one of those decisions.

As I mentioned before, you should feel free to file an enhancement request (ER) for control over this, but I suspect you’d be better off with an ER to relax the restrictions on the providers you should be using.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
NEPacketTunnelProvider DNS Timeout
 
 
Q