[macOS] need to support domain specific dns server (custom DNS)

Hi Team,

I'm currently using a system extension with NETransparentProxyProvider (with root privileges). I want to support custom DNS (specific to domains) with a search domain to accommodate a single-level domain support.

For this, I'm creating a new entry inside /etc/resolver/, using below command.

sudo sh -c 'echo "domain corp.test.com\nsearch corp.test.com\nnameserver 9.9.9.9\nnameserver 9.9.2.2" > /etc/resolver/corp.test.com'

The above command works fine for me when I execute it via the terminal, creating a new file inside the resolver as described below. So, when I access a single-label domain like https://test, it appends 'corp.test.com,' resulting in hitting the domain as https://test.corp.test.com. Furthermore, it selects either the DNS server 9.9.9.9 or 9.9.2.2.

File: /private/etc/resolver/corp.test.com

domain corp.test.com
search corp.test.com
nameserver 9.9.9.9
nameserver 9.9.2.2

File permission

total 8
-rw-r--r--  1 root  wheel  80 Dec  5 18:20 corp.test.com

scutil --dns

resolver #8
  domain   : corp.test.com
  search domain[0] : corp.test.com
  nameserver[0] : 9.9.9.9
  nameserver[1] : 9.9.2.2
  flags    : Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

However, when I execute the same command within the extension using NSTask, it generates the new file but fails to work as per above.

it creates below file

File: /private/etc/resolver/corp.test.com

domain corp.test.com
search corp.test.com
nameserver 9.9.9.9
nameserver 9.9.2.2

File permission

total 8
-rw-r--r--  1 root  wheel  80 Dec  5 18:25 corp.test.com

scutil --dns

resolver #8
  domain   : corp.test.com
  search domain[0] : corp.test.com
  nameserver[0] : 9.9.9.9
  nameserver[1] : 9.9.2.2
  flags    : Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

I don't notice any difference in file permissions and in scutil --dns entry.

even we tried running sudo killall -HUP mDNSResponder to refresh its records.

Could you please suggest what might be the reason?

I noticed that when I create a file without the search field from the extension, it works properly. /n

File: /private/etc/resolver/corp.conso.com

domain corp.conso.com nameserver 2.2.2.2

/n We only encounter the issue when we add the search field to the file and create it from the system extension process.

macOS does support scoped DNS, but the approach you’re using won’t work. On Apple platforms the classic resolver.conf infrastructure is a compatibility measure, not the source of truth. You can’t use it to configure scoped DNS.

To configure scoped DNS in your transparent proxy, look at the NEDNSSettings type and, specifically, its matchDomains property.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for your response. I attempted to use NEDNSSettings within NETransparentProxyProvider, but it appears to be ignored. This issue is also documented in the NETransparentProxyProvider.h class.

NEDNSSettings and NEProxySettings specified within NETransparentProxyNetworkSettings are ignored. Flows that match the includedNetworkRules within NETransparentProxyNetworkSettings will use the same DNS and proxy settings that other flows on the system are currently using.

Full detail in NETransparentProxyProvider.h

/*!

  • @interface NETransparentProxyProvider
  • @discussion The NETransparentProxyProvider class declares the programmatic interface for an object that implements the client side of a custom transparent network proxy solution.
  • The NETransparentProxyProvider class has the following behavior differences from its super class NEAppProxyProvider:
    
  •     - Returning NO from handleNewFlow: and handleNewUDPFlow:initialRemoteEndpoint: causes the flow to proceed to communicate directly with the flow's ultimate destination, instead of closing the flow with a "Connection Refused" error.
    
  •     - NEDNSSettings and NEProxySettings specified within NETransparentProxyNetworkSettings are ignored. Flows that match the includedNetworkRules within NETransparentProxyNetworkSettings will use the same DNS and proxy settings that other flows on the system are currently using.
    
  •     - Flows that are created using a "connect by name" API (such as Network.framework or NSURLSession) that match the includedNetworkRules will not bypass DNS resolution.
    
  • NETransparentProxyProvider is part of NetworkExtension.framework

*/

Ah, good point. Sorry about the bum steer. With some many different providers it can be tricky to remember all the edge cases.

Have you tried simply applying the relevant settings using NEDNSSettingsManager? You can’t do that from within your provider; you’ll have to do it from your container app.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thank you for your response,

I attempted to use NEDNSSettingsManager, which requires either NEDNSOverHTTPSSettings or NEDNSOverTLSSettings for DNS configuration. Presently, our system does not support encrypted DNS. When I utilized only NEDNSSettings as indicated below, it generated the DNS setting in the filter, but it appears to be disabled (see attached screenshot).

NEDNSSettingsManager.shared().loadFromPreferences { error in
                let dotSettings = NEDNSSettings(servers: ["1.2.3.4"])
                //dotSettings.serverName = "example.com"
                dotSettings.matchDomains = ["test.corp.com"]
                NEDNSSettingsManager.shared().dnsSettings = dotSettings
                NEDNSSettingsManager.shared().localizedDescription = "Test config"
                NEDNSSettingsManager.shared().saveToPreferences { error in
                    NEDNSSettingsManager.shared().loadFromPreferences { error in
                    }
                }
            }

In my scenario, I need to support custom DNS configurations for specific domains, each requiring a distinct DNS server. However, using NEDNSSettingsManager, I can only assign a single DNS server for multiple matched domains

The file /etc/resolver/corp.conso.com is now working for me. Previously, I had been configuring the resolver file before setTunnelNetworkSettings, but now I'm configuring it after the tunnel settings and it is woking as expected. Im able to set custom DNS for specific domain.

looking at man 5 resolver it does not talk about deprecation of /etc/resolver/, but only for /etc/resolv.conf.

It also update the scutil --dns after adding file to/etc/resolver/corp.conso.com

resolver #8
  domain   : corp.conso.com
  nameserver[0] : 2.2.2.2
  flags    : Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)

OK.

Are you planning to deploy this product to managed environments? Or is it for normal users?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

For now, this is for managed devices.

Just for testing purposes, are you able to achieve your goals with one or more the com.apple.dnsSettings.managed payloads?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

We have tested with com.apple.dnsSettings.managed, and it takes precedence over /etc/resolver.

We will make a note that managed DNS settings take precedence over /etc/resolver

In com.apple.dnsSettings.managed, we are only able to setup encrypted dns (TLS or HTTPS), Is there a way we can setup unencrypted DNS?

Is there a way we can setup unencrypted DNS?

Blah, I thought that that payload could do vanilla DNS )-:

I’m running out of options here. My advice is that you open a DTS tech support incident so that I can allocate time for more research. However, just to set expectations, this isn’t looking promising )-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Sure, I will open a ticket and proceed with the '/etc/resolver' approach. I'll also make a note if someone has configured managed DNS

Thanks,

[macOS] need to support domain specific dns server (custom DNS)
 
 
Q