We have developed a DNS filter extension that works for most applications, but it does not receive all DNS queries.
In particular, if we have our extension installed and enabled, we see Safari browsing cause local DNS servers to be used instead of going through our extension.
What is the logic for how DNS servers vs. extensions are chosen to resolve DNS queries?
These days DNS is way more complicated than you might think. It’s not uncommon for program, especially third-party web browsers, to do their own secure DNS resolution. Safari does something similar, although it’s integrated into the system as a whole.
What do you mean by that? Are you looking on the wire and seeing port 53 traffic? Or are you just assuming that this is how it works because your DNS proxy is not seeing the traffic?
Because, in the second case, there are lots of other potential reasons for that, most notably the RFC 9462 stuff that I touched on in this thread.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Hi Quinn,
We're seeing DNS queries caused by Safari going to the local DNS server in Wireshark packet capture.
How is it that Safari's DNS traffic does not go through our DNS filter that is integrated into the OS?
What is the "something similar...integrated into the system as a whole" that Safari may be using? And how can we get that traffic to go through us?
Thanks, -Michael
Interesting. I wouldn’t expect that.
Are these queries scoped in some way? For example, are they all mDNS queries for local domains? Or are we talking about uDNS queries for standard DNS domains?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"