Clarification on wildcard matching of domains in NEDNSSettings - matchDomains

Question

Created Mar ’25

Replies 1

Boosts 0

Participants 2

I have an NEPacketTunnelProvider that's configured using NEPacketTunnelNetworkSettings. I'm using NEDNSSettings to configure the DNS resolver of the packet tunnel, and would like to specify the exact domains that should use this resolver using the matchDomains member variable.

While it's not explicitly mentioned in the documentation [1], I've noticed that if a domain is present in matchDomains, then all subdomains of it will also be resolved using this resolver, as if a wildcard match rule is in place.

I wanted to ask if this the intended behavior, and if so, is there any way to disable it so that only exact domain matches will be resolved?

I.e., if "example.com" is in the matchDomains list, I would like requests for this domain be resolved using the configured DNS resolver, while ignoring requests to the subdomain"test.example.com".

[1] https://developer.apple.com/documentation/networkextension/nednssettings/matchdomains

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’25

Accepted Answer

Recommended

I wanted to ask if this the intended behavior … ?

Yes.

is there any way to disable it so that only exact domain matches will be resolved?

Not that I’m aware of. The intended uses case for this property is for a split tunnel where the intranet DNS server can resolve all names in the intranet domain. For example, the example.com org might set it to corp.example.com to resolve just names on the intranet, or they might set it to example.com and let the corporate DNS server deal with everything.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1