Query regarding transparent proxy provider NENetworkRule for port 53

App & System Services Networking
faisalIkwal OP
Created 2d
Replies 3
Boosts 0
Views 92
Participants 3

We want to ressolve dns for predefined sets of private app domains. We've added this rule:

NENetworkRule(destinationHost: NWHostEndpoint(hostname: Private Domain1(example.com), port: 53), protocol: .UDP)

As per apple documentation: A rule that matches all DNS queries/responses for hosts in the example.com domain.

do you think it will work i.e it will forward DNS requests UDP flow to transparent provider in all the cases? or do you think the text is a bit misleading. it should instead say: "A rule that matches all DNS queries/responses for nameservers in the example.com domain"?

This rule that look for port 53 of that domain only works if the system really asks a nameserver of that specific domain, right? So, what if a local DNS server or a different nameserver are taking care of the resolution?

Replies  3
Boosts  0
Views  92
Participants  3
DTS Engineer OP
Apple
2d
We want to ressolve dns for predefined sets of private app domains.

For specific apps? Or for the system as a whole?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
faisalIkwal OP
2d

@DTS Engineer for the system as a whole

example: testyoutube.com

ping, curl, or any browser etc visits testyoutube.com, i want to resolve it by Transparent Proxy.

0
MStecher OP
1d

I am looking into this same topic. To me it seems as if some magic is applied when an NENetworkRule for UDP port 53 for a specific host (e.g. www.example.com) is entered. Prior to that rule, a DNS request for www.example.com would go to my standard DNS server (let's say 192.168.0.1:53) and not to www.example.com port 53, so one could assume that the entered NENetworkRule does not match.

However, it does seem to match indeed - at least for applications that are using a form of gethostbyname (e.g. if I ping www.example.com from the terminal) then the rule seems to match and sends the DNS request to the Transparent Proxy.

But if an application does its own DNS implementation (such as nslookup), then this still generates traffic for 192.168.0.1 port 53 and that does not match the rule so that the Transparent Proxy doesn't see that traffic with the above rule.

In that way, the implementation of such a NENetworkRule behaves similarly to how DNS requests are redirected if I use the DNSSettings network extension.

Is that understanding correct?

1
Query regarding transparent proxy provider NENetworkRule for port 53
First post date Last post date
 
 
Q