Private relay and DNS filtering via NEPacketTunnelProvider extension

I have a security app that filters DNS traffic via a NEPacketTunnelProvider extension, blocking access to dangerous domains (malware, phishing etc). The DNS requests are sent to a DNS server that will resolve only the safe domains. Could you clarify the behaviour for a NEPacketTunnelProvider extension processing only DNS requests?

You should not be using a NEPacketTunnelProvider in this manner. If you need to secure DNS traffic there is an DNS Network Extension API for doing this, i.e., NEDNSProxyProvider. NEDNSSettings should only be used for a SMALL set of hostnames that your business needs to resolve traffic for through the tunnel. The NEPacketTunnelProvider should NOT be used as a mechanism to intercept DNS traffic.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

I think I haven’t mentioned that I’m referring to an iOS app and, unfortunately, the doc mentions that NEDNSProxyProvider is available only for iOS supervised devices only.

What alternatives would there be for non-supervised devices?

DNS proxy providers are supported … on iOS supervised devices only. 

https://developer.apple.com/documentation/networkextension/dns_proxy_provider

doc mentions that NEDNSProxyProvider is available only for iOS supervised devices only

You are correct, NEDNSProxyProvider are available for supervised devices only and if you need to handle DNS traffic, you should use this API in a supervised setting.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

blocking access to dangerous domains (malware, phishing etc).

If your goal is to block dangerous domains from a specific audience then you could take a look at the new Screen Time APIs on iOS 15 along with NEFilterDataProvider. NEFilterDataProvider with the new Screen Time APIs no longer require an supervised environment.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Thank you for the suggestions, Matt. We will take a look at the NEFilterDataProvider & Screen Time APIs.

Still, could you clarify:

1. What is the expected behaviour for DNS packets when Private Relay is ON for both NEFilterDataProvider & NEPacketTunnelProvider?
2. Would a NXDOMAIN response for mask.apple-dns.net further prevent for unsafe domains to be resolved on the device?
3. Will any alert be displayed to the user in that case? (similar to attached photo)

What is the expected behaviour for DNS packets when Private Relay is ON for both NEFilterDataProvider & NEPacketTunnelProvider?

Network Extension providers such as NEFilterDataProvider and NEPacketTunnelProvider should take precedence over Private Relay. That means that if traffic typically goes through Private Relay, like DNS traffic, and these providers are running, then these providers should handle the traffic instead. If you are not seeing this then please open a bug report.

Regarding:

Would a NXDOMAIN response for mask.apple-dns.net further prevent for unsafe domains to be resolved on the device?

The only advice I can offer here is to test this on your end to determine the best course of action.

Regarding:

Will any alert be displayed to the user in that case? (similar to attached photo)

If there is no Network Extension Provider installed on the machine/device and the machine/device is connecting to a private network that needs to audit traffic for business purposes, and is blocking the DNS name fro iCloud Private Relay, then yes, the user would see a prompt similar to the one you have attached. If their is a Network Extension provider running and the DNS name is not being blocked for iCloud Private Relay then you would not see this prompt. If are seeing otherwise, please open a bug report.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com