Webkit generated flow management using DNSProxy

Question

Created 4d

Replies 3

Boosts 0

Participants 2

Hi! I have been working on one idea for a while but can't figure out the proper way to do that. My app includes Content Filter and DNSProxy providers for filtering logic. And for the NEFilterSocketFlow everything works well, because the connection is first handled from DNSProxy and if it's blocked, NEFilterDataProvider returns datagrams that I wrote from DNSProxy (I return nxdomain). However, for NEFilterBrowserFlow it doesn't work, because webkit generated flows are for some reason intercepted by Content Filter first and at the time when the flow is checked for rules, there're none yet as DNSProxy didn't handle connection yet.

So the app returns the following behaviour:

In case the requested domain is not filtered by DNSProxy, the user is able to visit requested page, but if it's filtered, the flow just freezes and the page will never load for user. But I wanted to add proper handling and display block page.
In case I am using some third-party apps for testing like ICS Dig, filtered domains return nxdomain properly.

Not sure if there's a way to achieve desired result, but would be very grateful for any suggestions

Boost

Answer 1

AndriiSulimenko OP

3d

upd: I tried to defer the response for webkit generated flows in NEFilterDataProvider but that didn't work well because handleNewFlow method would not support async operations.

Additionally I tried to add a DNS lookup for flows that are not registered (first connection, when the DNS Proxy hasn't yet made a decision whether the domain is blocked or not), but I assume it didn't work for the same reason. Just ignoring webkit generated flows is no help because they're are just set to NEFilterNewFlowVerdict.allow() by default then.

question: Is it even possible to achieve this goal? And would it work if I form custom response packets for blocked domains (let's say add remediation page ip address) in DNS Proxy target?

0

Answer 2

Systems Engineer OP

Apple

7h

What is the reason you need to use NEDNSProxyProvider in this workflow? If you filter WebKit flows with just NEFilterDataProvider and NEFilterControlProvider what functionality is missing that you need to include NEDNSProxyProvider?

Matt Eaton - Networking

0

Answer 3

AndriiSulimenko OP

7h

I use NEDNSProxyProvider for resolving domains using specified DNS resolvers. When I first started the project, I tried to implement the same functionality just using Content Filter Provider, but that didn’t work because NEFilterDataProvider didn’t support async operations

0