DoH system extension in parallel with Content filter extensions

Question

Created Feb ’21

Replies 3

Boosts 0

Participants 2

Hi,

When I try to run the DNS over HTTPS (DoH) system extension in parallel with any content filter extensions, system allows either to run DoH extension or any number of content filter extensions.

some examples of content filter extensions would be:
Cisco VPN, EDR network extensions like Carbon Black, MDATP.

Is there a way to make DoH and content filter extensions run in parallel or it is current limitation ?

My DoH extension looks like below:

Code Block language
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>DNSSettings</key>
			<dict>
				<key>DNSProtocol</key>
				<string>HTTPS</string>
				<key>ServerAddresses</key>
				<array>
					<string>2606:4700:4700::1111</string>
					<string>2606:4700:4700::1001</string>
					<string>1.1.1.1</string>
					<string>1.0.0.1</string>
				</array>
				<key>ServerURL</key>
				<string>https://cloudflare-dns.com/dns-query</string>
			</dict>
			<key>Name</key>
			<string>Cloudflare DNS over HTTPS</string>
			<key>PayloadDescription</key>
			<string>Configures device to use Cloudflare Encrypted DNS over HTTPS</string>
			<key>PayloadDisplayName</key>
			<string>Cloudflare DNS over HTTPS</string>
			<key>PayloadIdentifier</key>
			<string>com.apple.dnsSettings.managed.XXXXX</string>
			<key>PayloadType</key>
			<string>com.apple.dnsSettings.managed</string>
			<key>PayloadUUID</key>
			<string> XXXXXX </string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>
</array>
</dict>

Boost

Answer 1

Systems Engineer OP

Apple

Feb ’21

Is there a way to make DoH and content filter extensions run in parallel or it is current limitation ?

Have you tried using NEDNSSettingsManager along side your content filter?

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 2

AsitM OP

Feb ’21

Accepted Answer

Hi Matt,

Thanks for the suggestion but NEDNSSettingsManager also resulted in creating network extension which
fails to run in parallel with content filter extensions.

As advised by you, I have filed the bug report for same.

thanks,
Asit

1

Answer 3

Systems Engineer OP

Apple

Feb ’21

Thanks for the suggestion but NEDNSSettingsManager also resulted in creating network extension which
fails to run in parallel with content filter extensions.

Thanks for the follow up. The workaround for this (for others reading) is to install and activate the NEDNSSettingsManager's DoH or DoT settings first, and then start the NEFilterDataProvider.

Another alternative for macOS would be to use NEFilterDataProvider and NETransparentProxyProvider together. This will provide you the most flexibility but is also the most engineering work. The idea is that the flows would pass through the filter first and then through the proxy. DoT or DoH could be performed on the remote side of the proxy because you control this connection.

As advised by you, I have filed the bug report for same.

Please follow up with the Feedback ID.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0