NEIPv4Settings excludedRoutes does not work

Here is how I set up the network for Packet Tunnel Provider
Code Block swift
let networkSettings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "240.240.240.240")
    networkSettings.ipv4Settings = NEIPv4Settings(addresses: ["240.0.0.1"], subnetMasks: ["255.0.0.0"])
    networkSettings.ipv4Settings?.includedRoutes = [NEIPv4Route(destinationAddress: "0.0.0.0", subnetMask: "0.0.0.0")]
    networkSettings.ipv4Settings?.excludedRoutes = [
      NEIPv4Route(destinationAddress: "240.0.0.0", subnetMask: "255.0.0.0"),
      NEIPv4Route(destinationAddress: "1.1.1.1", subnetMask: "255.255.255.255"),
      NEIPv4Route(destinationAddress: "1.0.0.1", subnetMask: "255.255.255.255")
    ]
     
    networkSettings.dnsSettings = NEDNSSettings(servers: ["1.1.1.1", "1.0.0.1"])


The DNS servers are set to 1.1.1.1 and 1.0.0.1 which technically should be excluded from the tunnel. But when I'm debugging, I can still see the IP packets whose destination address is 1.1.1.1/1.0.0.1 and protocol is 17(UDP) are captured by the tunnel thus DNS queries fail.

Does anybody know if I'm setting up the DNS the wrong way? Why are DNS server addresses not excluded from tunnel despite being set so?
Up vote post of quincyhuang Down vote post of quincyhuang
1.3k views
Posted by
quincyhuang
Reply
Add a Comment

Replies

Why are DNS server addresses not excluded from tunnel despite being set so?

It looks like you are excluding them, but then adding the 1.1.1.1. and 1.0.0.1 addresses into your tunnel settings for your NEDNSSettings. What are your matchDomains set to? I suspect if you are matching domains that you have set to serve DNS through your tunnel, then your IP Packets will come through with this address on the packet header. To test my theory, try setting your DNS server addresses to something else. I suspect then you will not see IP Packets coming through with 1.1.1.1. Or, try running it as you have it and do not match any of the domains set in matchDomains to see if you still get IP Packets routed through with 1.1.1.1.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
Hi Matt,

Thank you for your reply. I did not set matchDomains. My expected behavior is to let the tunnel handle all traffic except for DNS, and the tunnel has its own DNS servers rather than using the system-level settings. Thus a reasonable solution that came to my mind is to use NEDNSSettings to specify the DNS settings for the tunnel and use excludedRoutes in the NEIPv4Settings to exclude these DNS routes.

If you think this is not the right approach, would you please let me know how you would achieve the behavior I just mentioned? Thank you!
Posted by
quincyhuang
Up vote reply of quincyhuang Down vote reply of quincyhuang
Add a Comment
I think I might know what is wrong. I guess I cannot expect the tunnel to both exclude DNS routes but also has its own DNS settings.

I guess the expectation is this:

  1. Tunnel uses custom DNS servers.

  2. The DNS traffic to these custom DNS servers do NOT go through the tunnel but is going through regular physical interfaces.

Is that even possible with the PacketTunnelProvider?
Posted by
quincyhuang
Up vote reply of quincyhuang Down vote reply of quincyhuang
Add a Comment

Hello friend Do you have a solution now?

Posted by
Gary Grubbs
Up vote reply of Gary Grubbs Down vote reply of Gary Grubbs
Add a Comment

I guess the expectation is this: Tunnel uses custom DNS servers. The DNS traffic to these custom DNS servers do NOT go through the tunnel but is going through regular physical interfaces. Is that even possible with the PacketTunnelProvider?

When using NEDNSSettings in your tunnel you can use a custom DNS server to claim a small specific set of DNS traffic. This does NOT mean all DNS traffic on the system, but rather a SMALL set of DNS traffic used for your business purposes. For example, if your business uses example.com as a domain and you wanted to resolve all queries using *.example.com then you could set up a custom DNS server and then claim example.com as a hostname that your tunnel needed to resolve and not with the physical interface.

let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: "x.x.x.x")
let ipv4Settings = NEIPv4Settings.init(addresses: ["x.x.x.x"], subnetMasks: ["255.255.0.0"])

// ...

let dnsSettings = NEDNSSettings.init(servers: ["x.x.x.x"])
dnsSettings.matchDomains = ["example.com"]
dnsSettings.matchDomainsNoSearch = true
settings.dnsSettings = dnsSettings
settings.ipv4Settings = ipv4Settings

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton

  • Hi @meaton ,

    I have a different use case with the provided solution, I have ** example.com ** as DNS name by setting it to matchDomains and enabled ** matchDomainsNoSearch** by setting it to true to allow .example.com . but I'm wondering how to exclude a specific route say ** contact.example.com* . Is there any way to set excluded routes in NEDNSSettings similar to settings.ipv4Settings.excludedRoutes

    aravindh23
Add a Comment