Network Extension and DoH with preresolved IPs

Question

Created 1w

Replies 3

Boosts 0

Participants 2

Howdy,

I've noticed a strange behavior recently on my macos (26.5.1) when using my System Extension-hosted Network Extension with a Packet Tunnel Provider inside:

let dnsSettings = NEDNSOverHTTPSSettings(servers: ["8.8.8.8", "8.8.4.4"])
dnsSettings.serverURL = URL(string: "https://dns.google/dns-query")
settings.dnsSettings = dnsSettings

I have always expected this block to not need any DNS resolution, since IPs for dns.google are preconfigured, however not sure it's been the case lately. I see normal DNS requests to the addresses above to :53. Once resolved, no more DNS traffic, just :443 via TUN.

Is it possible that some changes were introduced in the past months that would make macos to have to resolve dns.google with regular DNS before switching over to DoH?

Answer 1

DTS Engineer OP

Apple

1w

I’m not sure I understand your issue here. Are you saying that the system resolves dns.google using the DNS servers you provided (8.8.8.8, 8.8.4.4)? Or that it resolves it using some other DNS servers?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Answer 2

DTS Engineer OP

Apple

1w

It’s better to reply as a reply, rather than in the comments; see Quinn’s Top Ten DevForums Tips for this and other titbits.

However what I saw is that macos tried to resolve dns.google using the two servers above and then switch to DoH.

Right. That’s kinda what I would expect to happen.

however not sure it's been the case lately.

When did you see this change? [1]

Also, is this actually causing problems?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] I typically test this sort of thing in a VM. Well, more than one VM. I maintain a bunch of VMs for recent macOS versions so that I can quickly regress issues like this without having to carry around a lot of different MacBooks (-:

Answer 3

deteam444 OP

4d

Somehow, I was expecting to do DoH right away using pre-resolved IPs are provided.

It caused a bit of confusion, since we were not handling UDP properly at the time, so had to enable this explicitly.

As for when it changed - can't really tell, sorry.

I'll just handle UDP properly so plain DNS won't cause issues and as long as macos eventually switches to DoH it's all fine.

Thank you for clarifying!