Expected behavior of searchDomains

Question

Created 1d

Replies 3

Boosts 0

Participants 2

Based on https://developer.apple.com/documentation/networkextension/nednssettings/searchdomains , we expect the values mentioned in searchDomains to be appended to a single label DNS query. However, we are not seeing this behavior.

We have a packetTunnelProvider VPN, where we set searchDomains to a dns suffix (for ex: test.com) and we set matchDomains to applications and suffix (for ex: abc.com and test.com) . When a user tries to access https://myapp , we expect to see a DNS query packet for myapp.test.com . However, this is not happening when matchDomainsNoSearch is set to true. https://developer.apple.com/documentation/networkextension/nednssettings/matchdomainsnosearch

When matchDomainsNoSearch is set to false, we see dns queries for myapp.test.com and myapp.abc.com.

What is the expected behavior of searchDomains?

Boost

Answer 1

DTS Engineer OP

Apple

20h

My understanding of these settings is pretty much aligned with yours. I would expect that if you have these settings:

dns.searchDomains = ["abc.com", "def.com"]
dns.matchDomains = ["ghi.com", "jkl.com"]
dns.matchDomainsNoSearch = true

then resolving myapp would look for myapp.abc.com and myapp.def.com. If that’s not working, then we’re probably in bug report territory.

Before you do that, however, I want to check how you’re actually resolving the address. Are you sure you’re using the system resolver? For example, Safari, URLSession, or Network framework.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

akshit_ak OP

18h

Hey Quinn, thank you for your reply. I am seeing this on iOS. An end user enters a single label field in a browser (tested with Safari and Chrome). For example, user enters https://myapp in Safari while my packetTunnelProvider VPN is connected, but we never see the DNS packet.

0

Answer 3

DTS Engineer OP

Apple

3h

Thanks for confirming that.

Browsers have a lot of complex logic. If you create a small test app that uses the DNS more directly — for example, by fetching a resource with URLSession — does that have the same problem?

I expect it will, but I just want to be sure.

Also, I want to check some things about how your packet tunnel provider is set up:

It’s in destination IP mode, right? As opposed to source app mode? The latter being per-app VPN.
Have you set includeAllNetworks? I suspect you haven’t, but I just want to be sure.
If you haven’t set that, are you claiming the default route? That is, are you adding a NEIPv6Route.default() value to the includedRoutes property?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0