Get all Domain names in macos ?

Question

Created May ’21

Replies 6

Boosts 0

Views 1.9k

Participants 4

Hi, I want to get all domain names that my mac queries. I think that NEDNSProxyProvider might be useful but I don't want to handle the flows and redirect them I only want the domain names for logging purposes. Can this be done?

Boost

Answer 1

Hoffman OP

May ’21

https://www.sjoerdlangkemper.nl/2019/05/22/logging-dns-requests-with-internet-sharing-on-macos/ https://www.reddit.com/r/osx/comments/3tsu01/is_there_a_way_to_log_all_dns_queries_on_osx/ Or set up a DNS forwarder or DNS server set up to forward, and log the traffic there.

0

Answer 2

DTS Engineer OP

Apple

May ’21

Can you provide more context for this question? Is this something you plan to deploy widely? Or something you need for your own personal Mac? Or perhaps you’re targeting a managed environment, like a school or a business?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 3

DTS Engineer OP

Apple

May ’21

If this is possible I plan on deploying it on a business environment with around 10k macos users.

Do you need to do this on device? The alternative is to configure these Macs to use a corporate DNS server and do the logging there.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

DTS Engineer OP

Apple

Jun ’21

Accepted Answer

What are my options for doing this on device from a system extension?

There’s no sysex mechanism for just logging DNS queries. As you’re aware, NEDNSProxyProvider allows you to intercept all queries, but it requires you to handle them as well.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 5

santalvarez OP

Jun ’21

Would this work? Just accessing the NEAppProxyFlow and returning true without having to handle the flow

   // NEDNSProxyProvider
    override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {
        NSLog("DNSProxyProvider: handleFlow")
        if let tcpFlow = flow as? NEAppProxyTCPFlow {
            let remoteHost = (tcpFlow.remoteEndpoint as! NWHostEndpoint).hostname
            let remotePort = (tcpFlow.remoteEndpoint as! NWHostEndpoint).port
            // Do whatever I want with this data
        } else if let udpFlow = flow as? NEAppProxyUDPFlow {
            let localHost = (udpFlow.localEndpoint as! NWHostEndpoint).hostname
            let localPort = (udpFlow.localEndpoint as! NWHostEndpoint).port
            // Do whatever I want with this data
        }
        return true
    }

0

Answer 6

DTS Engineer OP

Apple

Jun ’21

Would a NEDNSTransparentProxyProvider be something you guys would consider adding in the future or is that impossible?

Speaking for DTS, the org that Matt and I work for, we don’t add features to the OS and so we can’t comment on that. If you want to have your request seen by folks who do make these changes, file an enhancement request that describes your requirements.

Oh, and don’t skip that last bit. If you want the NE team to take your request seriously, you have to explain the background to your product and why the existing solutions don’t work for you.

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1