sr2/cloud-dns-ios
6
1
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions

Actually configure the DNS #3

New issue
Closed
opened 2026-04-13 13:04:34 +00:00 by irl · 11 comments
irl commented 2026-04-13 13:04:34 +00:00
Owner
Copy link

Actually configure the DNS, making sure to change the settings if the DNS blocklist choice is updated.

We could add a canary record to the DNS server to verify that it's being used correctly, giving a different value depending on the specific server you're expecting to use.

Actually configure the DNS, making sure to change the settings if the DNS blocklist choice is updated. We could add a canary record to the DNS server to verify that it's being used correctly, giving a different value depending on the specific server you're expecting to use.
tla was assigned by irl 2026-04-14 16:00:02 +00:00
tla commented 2026-04-14 17:02:39 +00:00
Collaborator
Copy link

Is this the full DoH query?

https://guardianproject.dev/sr2/cloud-dns-ios/src/branch/main/dns/ViewModel.swift#L56

Or should it be DoT?

Is this the full DoH query? https://guardianproject.dev/sr2/cloud-dns-ios/src/branch/main/dns/ViewModel.swift#L56 Or should it be DoT?
irl commented 2026-04-14 17:04:52 +00:00
Author
Owner
Copy link

The DoH endpoint is https://{server}/dns-query (e.g. https://dns.sr2.uk/dns-query) and I think you probably have to include the path.

There is also a DoT server on the same IPs but I think DoH is probably best for most users as port 443 is less likely to be firewalled than weird DoT ports.

The DoH endpoint is https://{server}/dns-query (e.g. https://dns.sr2.uk/dns-query) and I think you probably have to include the path. There is also a DoT server on the same IPs but I think DoH is probably best for most users as port 443 is less likely to be firewalled than weird DoT ports.
tla commented 2026-04-15 11:51:00 +00:00
Collaborator
Copy link

Is there a good way to test, if I'm actually using your resolver?

Like some short-lived DNS resolution which only works with your DNS?

Is there a good way to test, if I'm actually using your resolver? Like some short-lived DNS resolution which only works with your DNS?
irl commented 2026-04-15 11:59:22 +00:00
Author
Owner
Copy link

I'll add a test record in a bit, it something like test.invalid can resolve to some a web server and that'd let you test in Safari?

I'll add a test record in a bit, it something like `test.invalid` can resolve to some a web server and that'd let you test in Safari?
tla commented 2026-04-15 12:18:00 +00:00
Collaborator
Copy link

Probably. You're the dev-ops guy and should probably know better than me! 😜

Probably. You're the dev-ops guy and should probably know better than me! 😜
irl commented 2026-04-15 12:18:10 +00:00
Author
Owner
Copy link
dig test.invalid

; <<>> DiG 9.10.6 <<>> test.invalid
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6935
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;test.invalid.                  IN      A

;; ANSWER SECTION:
test.invalid.           3600    IN      A       104.20.23.154
``` dig test.invalid ; <<>> DiG 9.10.6 <<>> test.invalid ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6935 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;test.invalid. IN A ;; ANSWER SECTION: test.invalid. 3600 IN A 104.20.23.154 ```
irl commented 2026-04-15 12:18:45 +00:00
Author
Owner
Copy link

You should see a Cloudflare error page.

You should see a Cloudflare error page.
irl commented 2026-04-15 13:28:06 +00:00
Author
Owner
Copy link

Right now if I try to enable I get:

Failed to send a 6 message to nehelper: <dictionary: 0x1e70b0b70> { count = 1, transaction: 0, voucher = 0x0, contents =
	"XPCErrorDescription" => <string: 0x1e70b0ce0> { string cache = 0x0, length = 18, contents = "Connection invalid" }
}
 Failed to load configurations: Error Domain=NEConfigurationErrorDomain Code=11 "IPC failed" UserInfo={NSLocalizedDescription=IPC failed}
Error loading preferences: Error Domain=NEConfigurationErrorDomain Code=11 "IPC failed" UserInfo={NSLocalizedDescription=IPC failed}
Error storing preferences: Error Domain=NEDNSSettingsErrorDomain Code=3 "(null)"

It then turns itself off again.

In the simulator, which maybe doesn't work for this?

Right now if I try to enable I get: ``` Failed to send a 6 message to nehelper: <dictionary: 0x1e70b0b70> { count = 1, transaction: 0, voucher = 0x0, contents = "XPCErrorDescription" => <string: 0x1e70b0ce0> { string cache = 0x0, length = 18, contents = "Connection invalid" } } Failed to load configurations: Error Domain=NEConfigurationErrorDomain Code=11 "IPC failed" UserInfo={NSLocalizedDescription=IPC failed} Error loading preferences: Error Domain=NEConfigurationErrorDomain Code=11 "IPC failed" UserInfo={NSLocalizedDescription=IPC failed} Error storing preferences: Error Domain=NEDNSSettingsErrorDomain Code=3 "(null)" ``` It then turns itself off again. In the simulator, which maybe doesn't work for this?
tla commented 2026-04-15 13:39:33 +00:00
Collaborator
Copy link

Simulator isn't working with all things Network Extensions.

Simulator isn't working with all things Network Extensions.
tla commented 2026-04-15 14:40:21 +00:00
Collaborator
Copy link

On a real device, the installed settings can actually be found in

Settings > General > VPN & Network > DNS

…and need to be manually activated by the user. No hints from the OS, impossible to send users straight there.

Will need UI to explain.

(And app will need to be slightly restructured to adapt to this reality.)

On a real device, the installed settings can actually be found in `Settings > General > VPN & Network > DNS` …and need to be manually activated by the user. No hints from the OS, impossible to send users straight there. Will need UI to explain. (And app will need to be slightly restructured to adapt to this reality.)
tla was unassigned by irl 2026-04-16 11:07:58 +00:00
irl commented 2026-04-16 11:08:31 +00:00
Author
Owner
Copy link

The feature is implemented, UI is another issue.

The feature is implemented, UI is another issue.
irl closed this issue 2026-04-16 11:08:31 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
  
bug

Something is not working

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
wontfix

This won't be fixed

No labels
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: sr2/cloud-dns-ios#3
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?