NEAppProxyUDPFlow open fails immediately under certain circumstances

Question

Created Oct ’22

Replies 3

Boosts 0

Participants 2

Hey There. I'm working on a NEDNSProxyProvider for Mac. Most of it it working quite well, however we see the following events occurring regularly:

our handleNewUDPFlow implementation gets called.
as per the documentation, we retain the flow, and return true.
We immediately open the flow by calling flow.open
The open error callback occurs straight away with an Error "The peer closed the flow".

I see this particularly when the initialRemoteEndpoint parameter to my handleNewUDP flow is off network. So, for example if my initialRemoteEndpoint is an IP address on my network (i.e. in the non-routable 192.168... network where by default DNS address is), the open works fine. However, I've noticed that a number of applications are making DNS requests aimed at "well known" DNS servers, so the initial endpoint contains a routable address.

In this scenario, as soon as I open the flow, it closes with an error, and I can't honour the request.

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’22

Does that result in a failure within the DNS client? If not, I’d ignore this issue by simply giving up on the flow.

It’s quite common for networking clients in general to start a connection and then give up on it almost immediately, most notably when implementing Happy Eyeballs v2.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

dermdaly OP

Oct ’22

So, firstly Yes. It does look like in some cases they are using "Happy Eyeballs", because in some cases, I see the first UDP Flow as IPv6 targeting a "well known" DNS server. I attempt the open, and the peer closes it. Immediately after, I see another new UDP flow, this time over IPv4 targeting the same "well known" DNS server ;but again the flow is immediately closed by the peer.

I thought the NEDNSProxy would appear transparent to the peer, (i.e. it is oblivious to the fact there's a network extension in the mix).

Now, I'm not so sure. Either way ,it does feel like a lot of DNS traffic that my proxy is not getting to take part in. (I've seen these connections come from Brave browser, Slack and Also safari (though this could be an extension).

0

Answer 3

DTS Engineer OP

Apple

Oct ’22

Either way, it does feel like a lot of DNS traffic that my proxy is not getting to take part in.

If you’re concerned about that, use an RVI packet trace to see what’s actually going out on the ‘wire’.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0