DNS requests failing when NEPacketTunnelProvider is running.

Question

docfp OP

Created Nov ’24

Replies 4

Boosts 0

Participants 2

Hi, TLDR: On iOS, when my PacketTunnel is running, can I exclude DNS requests from going into the tunnel?

I have a test app, using Apple's AsyncDNSResolver, that makes a DNS call and it works when the tunnel is not running.

If the tunnel is running it times out after 30 seconds and I get the error -65568.

Here's how I'm setting up the tunnel

func setup(tunnelRemoteAddress: String) {
        let settings = NEPacketTunnelNetworkSettings(tunnelRemoteAddress: tunnelRemoteAddress)
        settings.ipv4Settings = NEIPv4Settings(addresses: [tunnelRemoteAddress], subnetMasks: ["255.255.255.255"])
        settings.ipv4Settings?.includedRoutes = [NEIPv4Route.default()]
        
        let proxySettings = NEProxySettings()
        proxySettings.httpEnabled = true
        proxySettings.httpServer = NEProxyServer(address: ProxyServerConfiguration.host, port: ProxyServerConfiguration.port)
        proxySettings.httpsEnabled = true
        proxySettings.httpsServer = NEProxyServer(address: LocalProxyServerConfiguration.host, port: LocalProxyServerConfiguration.port)
        proxySettings.excludeSimpleHostnames = true
        proxySettings.exceptionList = nil
        
        let dnsSettings = NEDNSSettings(servers: ["8.8.8.8"])
        settings.dnsSettings = dnsSettings
        settings.proxySettings = proxySettings
        
        setTunnelNetworkSettings(settings) { error in
            // ...
        }
    }

I've tried all combinations of setting/excluding the NEDNSSettings but the DNS call always fails when the tunnel is running.

Thanks for any help.

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’24

Recommended

using Apple's AsyncDNSResolver

Technically that’s not an Apple thing but an open source thing. But given that you’re using it on an Apple platform, it should just be a wrapper around DNS-SD, which is our lowest-level interface to the system DNS resolver.

can I exclude DNS requests from going into the tunnel?

You can’t, as such. Packet tunnel providers typically operation in destination IP mode [1]. If your provider’s tunnel claims the route to the IP address of the DNS server, that traffic will go over your tunnel.

In your case you’re claiming the default route and thus it’s likely that DNS traffic will go over your tunnel [2].

If the tunnel is running it times out after 30 seconds and I get the error -65568.

Is your packet tunnel provider receiving DNS request packets? Does it do anything useful with them?

I get the feeling that you’re trying to use a packet tunnel provider for something that’s not a VPN tunnel. DTS doesn’t support that, as explained in TN3120 Expected use cases for Network Extension packet tunnel providers.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] In managed environments you can configure them to use source application mode, that is, per-app VPN, but I don’t think that’s relevant to your setup.

[2] Although not guaranteed. It’s not uncommon for the gateway on a home network to configure clients to use the gateway itself as the DNS server. In that case the traffic will go directly, because the DNS server is on a directly connected network.

Having said that, if your tunnel configures DNS settings then the fact that it’s the default route will make those settings active. So in your example, you’ve configured DNS to use 8.8.8.8 and that will always go over your tunnel.

0

Answer 2

docfp OP

Nov ’24

Thanks for that.

I don't see the DNS traffic enter the tunnel so I need to debug that separately.

I have two general questions:

Could the DNS traffic be excluded using the ipv4Settings.excludedRoutes?
Is excluded traffic just dropped or is it routed "normally", i.e. as if the tunnel wasn't running?

0

Answer 3

DTS Engineer OP

Apple

Nov ’24

Accepted Answer

Could the DNS traffic be excluded using the ipv4Settings.excludedRoutes?

Yes.

The challenge is to determine what to exclude. If you force the DNS settings to 8.8.8.8 then you could exclude that. If not, you need to work out what the system DNS settings are, and theres not good way to do that.

Keep in mind that DNS is not as simple as it was back in the day. In recent years the system has implemented support for RFC 9462, and so opportunistically enables encrypted DNS when it’s available.

Is excluded traffic just dropped or is it routed "normally" … ?

It’s is routed normally.

If you’re going to play games with routing, make sure you read Routing your VPN network traffic.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

docfp OP

Nov ’24

Thanks Quinn. Seems like excluding the DNS traffic isn't the way to go. I'll debug it further and see why I'm not getting any in the Tunnel.

1