[Thread] dnscrypt-proxy on iOS

[jedisct1]

DNSCloak takes advantage of the DNS proxy provider system introduced in iOS 11 to bring the DNSCrypt protocol to Apple devices. Devices don't have to be jailbroken to install this software.

This is great, but it apparently uses code from dnscrypt-proxy v1, it is not opensource and lacks interesting features such as logging and filtering.

A similar, opensource application for iOS would be terrific!

[s-s]

>>> TestFlight <<<

Have already ported v2 to iOS (since first betas), with filtering and logging. Waiting for stable version to release it. Also requires some testing - if anybody interested, I may release it under TestFlight.

PS: Lack of features are the dynamic nature of plugins loading in v1.

[s-s]

BTW it is not a DNS proxy provider (due to it is limited to supervised devices), but a generic packet tunnel. So, it would run on iOS 10 as well, and may be on iOS 9 (there is triple less memory available for network extensions comparing to iOS 10).

[Snapy]

FYI https://github.com/AdguardTeam/AdguardForiOS/issues/585

[jedisct1]

@s-s So, this is using NEKit? This is even better!

I'd love to testflight it.

[s-s]

@jedisct1, no, it is a simple NEPacketTunnelProvider (it is required to run client code in background + setup iOS DNS resolver to that client) + thread wrapper for client + client built as static libs (v1) / framework built with gomobile (v2). I’ll release v2 framework build environment later, so someone may use it for macOS / opensource iOS client.

I’ll try to put v2 into TestFlight tomorrow.

PS: NEKit is great by itself (it is a framework to route traffic through a set of proxies), but it is absolutely not required here. All the “magic” is done with native NEDNSSettings of NetworkExtension framework. I’m very surprised that nobody have ported dnscrypt-proxy to iOS previously.

[jamespoore]

+1 for Testflight. Would be happy to assist with user testing of your app @s-s.

@jedisct1 top work for the v2 implementation, very pleased so far.

[jedisct1]

Been testing the new DNSCloak for a couple days, and it works really well.

I just had an issue after the installation. "Start" didn't do anything, and I couldn't choose a resolver either. Maybe because I had the previous (non-testflight) version previously installed.

I uninstalled everything and reinstalled the beta. "Start" didn't do anything, which makes sense since no resolvers was selected, but still feels a bit confusing. But I could then pick a resolver, hit start, and watch the query log fill itself with queries.

[hcarrega]

Just want to try TestFlight to

[s-s]

@hcarrega, added you to TestFlight, check your email. @jamespoore, please, send me an email to sergey [dot] smirnov [dot] dev [at] gmail [dot] com - Apple requires an email to send invitation I'll try to put fresh TestFlight build this weekend - a little busy with work...

[hcarrega]

Thanks ;)

[jedisct1]

Hi @s-s -- Just to mention that the new version you pushed on Testflight is really good!

It works perfectly. Looking forward to seeing it on the AppStore!

[jedisct1]

You may want to upgrade the proxy to the latest version though :)

[jedisct1]

@s-s Just one thing: "filters" should be "no filters": the "filters" label is currently displayed for resolvers that do not filter :)

[tmasiff]

Also want to try if you can. TestFlight:Temadrakula@gmail.com

[s-s]

@jedisct1, thank you for pointing with filter flag, fixed! :) Also upgraded to latest version (was short on time at Friday, stucked with types mess @ gomobile). I'll upload new TF build soon. As for App Store - I want to implement a couple of things before release - add passcode lock for parental control and move to dnscrypt-proxy managed caches as a source for app's list (as a step toward exposing config editor).

@tmasiff, done, check your email.

[jedisct1]

Don't Rush, I'm gonna upload a new proxy version tonight (just to fix a recently reported bug with DoH servers where IP addresses were not specified).

[ghost]

@jedisct1 AdGuard Pro iOS is opensource, allows inclusion of custom DNScrypt servers & has a wonderful filtering mechanism. TestFlight it & see for yourself.

[jedisct1]

I bought it, and didn't find any DNSCrypt support in it :(

[ghost]

@s-s I’m in agreement with @jedisct1 regarding the latest TestFlight of DNSCloak - it works quite nicely. I’d like to see a mechanism to include custom DNScrypt servers, however. Also a nice enhancement for the use TCP only rule would be an explanation regarding its usefulness running it over TOR. @mtigas maintains https://GitHub.com/mtigas/OnionBrowser which is the only officially endorsed - by the TOR Project - iOS TOR browser.

[ghost]

@jedisct1 - you’ve got to use the beta via TestFlight. Hop over to the git repo https://github.com/AdguardTeam/AdguardForiOS & let @ameshkov know you’d like to use it. Edit: Even simpler, here’s the short form to fill out https://docs.google.com/forms/d/e/1FAIpQLSf5JWqO_Qsdri1nwJphse46Qk48YHVyc3IZs1l-XmJ3ff0dDQ/viewform

[ameshkov]

We've just finished with the first implementation that will be released next week, but it is based on dnscrypt-proxy v1. Once it's released, we'll push the code to GH.

Using dnscrypt-proxy v2 is on our roadmap.

@jedisct1 regarding beta test application, I can see yours, gimme a minute:)

[s-s]

@X8716e, custom static resolvers and lists will be available with config editor (will be added a little bit later). As for Tor, I'll mention it, but keep in mind that Tor and dnscrypt-proxy will not work simultaneously on a (non-jailbroken) iOS device for many reasons, most of them are iOS limits. The only scenario I see is to put a Tor middlebox in front of an iOS device with dnscrypt-proxy. But I'd prefer to move dnscrypt-proxy on that middlebox device in this scenario. As for OnionBrowser - all (well, there is an exception, but its existence in the App Store is just a matter of time) "Tor browser" implementations on iOS do name resolutions via SOCKS proxy provided by Tor client. Just because they have no other way to customize resolver settings. They just can't use dnscrypt-proxy (proxied to the same Tor client).

[tmasiff]

Thanks )

[ghost]

@s-s Mostly accurate info; however I’m concerned with the dismissal of TCP as useful. It gives the impression to any who know no better that why try to learn anything on the subject since the developer of this proprietary software is saying there’s no need to do so. I wrongly assumed your application was opensource. Why? Because you’re here on GitHub. My mistake, and one that won’t happen again. Regarding running DNSCrypt concurrently with TOR via SOCKS, there are definite ways to go about doing it. Ideally, simply entering & exiting TOR via DNSCrypt & minimising the connection time to your chosen DNSCrypt server is how most would want to use the mix. Other alternatives exist, though they rely a lot on your level of trust in the DNSCrypt provider. As for asking “how”, well, I’m sure you’ll figure it out ;)

EDIT: @jedisct1 Apologies for a convo that should be taking place on the dev’s project page instead of hijacking space on your own. It’s not possible, however, and I’ll respond no further to said dev. Thanks for your understanding

[jedisct1]

@s-s The release candidate is perfect! Really nice. This makes it by far the best DNS changing tool on mobile platforms.

I just had a case where I was stuck in the settings page. Close didn't do anything, other controls didn't work any more either. I'm gonna try to find a sequence to reproduce this.

[s-s]

@jedisct1, thank you, but all credits should go to you actually - I’m just wrapping UI around your client.

It seems that I’ve found what you are writing about - stuck due to conflicting modals, I’ll make a relayout to fix this problem and one more with logs modal. So, there would be rc2...

Actually, there are still a lot of work to be done: I want to expose as much as possible of dnscrypt-proxy original features. The next big things should be config editor (it would be simpler to edit a couple of lines than have a complex UI as well as adding custom lists and static resolvers, which in fact are already supported ;), forwarding and cloaking, then blacklists (they may be tricky due to iOS behavior).

As for “proprietary”, of course, you can judge me for that, but I don’t want to produce the hell of “yet-another-cl0kdNs-clone-with-brand-new-unique-created-by-myself-icon-buy-now-for-the-only-$0.99” copies which the App Store is all about (AS review policies just don’t work or work against the original developer). This makes frustrating and demotivates a lot. I’m a dev and I want to spend my time on development, not on fighting with copycats. So, choosing between keeping project “proprietary” (in fact - not) or not touching the theme at all I’ve decided to select the first one, at least for the first time. The mentioned Mike’s OB and many other devs that were making opensource projects for iOS stucked with exactly the same problem.

[yurykk]

Hi @s-s , do you have estimation when "config editor" will be released, or maybe it's possible to participate in beta-testing ?

[s-s]

@yurykk, it is already present in beta builds since the middle of March. The release build have been uploaded to ITC ASC several hours ago and will be available on the App Store after Apple's review (usually 1-2 days). If you would like to participate in beta test - just send me an email to sergey [dot] smirnov [dot] dev [at] gmail [dot] com, Apple requires your email to send TestFlight invite.

[tuannv19]

@jedisct1, no, it is a simple NEPacketTunnelProvider (it is required to run client code in background + setup iOS DNS resolver to that client) + thread wrapper for client + client built as static libs (v1) / framework built with gomobile (v2). I’ll release v2 framework build environment later, so someone may use it for macOS / opensource iOS client.

I’ll try to put v2 into TestFlight tomorrow.

PS: NEKit is great by itself (it is a framework to route traffic through a set of proxies), but it is absolutely not required here. All the “magic” is done with native NEDNSSettings of NetworkExtension framework. I’m very surprised that nobody have ported dnscrypt-proxy to iOS previously.

Hi @s-s can't u share me some way to port this project with go mobile to framework for ios . I want learn how to build sample IOS project using this. But i'm newcomer with go.

[s-s]

@tuannv19, I don't know any other way to port (any) project besides reading the docs (and sources sometimes) for building tools, then trying to build a project and check for errors, refactoring/fixing/rewriting project sources (and build tools sometimes), then iterating over and over until there will be no building errors. Specifically to building dnscrypt-proxy (or any other Go project) as iOS framework most of the answers can be found in the docs (https://godoc.org/golang.org/x/mobile/cmd/gomobile, https://godoc.org/golang.org/x/mobile/cmd/gobind).

[tuannv19]

@s-s thank you. Can u help me, i had some issue when run in ios https://github.com/jedisct1/dnscrypt-proxy/issues/637

[michael1900]

@s-s hi, i am using last Cloak version available on ios store but also if Connect On Demand is enabled when i switch from wifi to mobile connection on viceversa it's needed also stop and start again the dnscrypt proxy. Is there a solution?

[tuannv19]

@s-s after port dnscrypt-proxy to ios framework. I need only start dnscrypt-proxy-ios framwork replace with current dnscrypt-proxy ip and port . isn't it?

About log for dnscrypt-proxy-ios (framework convert from original Go ). How do u show log in console?. I start dnscrypt-proxy-ios in network extension but can't see any log. If i start it in main app very thing is okie. How can't i fix it ?

[s-s]

@tuannv19, I don't understand what is "current dnscrypt-proxy ip and port". In order to start (vanilla) dnscrypt-proxy v2 (framework or binary, iOS or anywhere, no matter) you need to provide it a valid config file. If it doesn't fit your needs - you may rewrite initialization part. Also I don't understand what log and console you are referencing. dnscrypt-proxy v2 uses dlog package for logging purposes that writes to STDERR by default. You can setup logging into a file using dnscrypt-proxy v2 config file or by redirecting there STDERR. If you are referencing Device Console / Console.app - STDERR doesn't go there. If you are referencing Xcode's Output console - first, all app extensions are separate processes, second, Xcode doesn't attach output when you attach debugger to a process. You can log into a file or device console in such scenarios.

[s-s]

Sad news for everyone interested in iOS implementation in general and DNSCloak in particular - Apple has removed the app from the App Store.

Long story short: last summer they have changed App Store Review Guidelines - all apps that utilizes VPN related API (the only way to alter network settings on vanilla iOS) must be submitted by companies or organizations, not by individual developers. (I understand the reason for such policy change, but the problem is that Apple applies it blindly to any case of VPN API usage.)

Technically DNSCloak is not rejected (since it doesn’t violate anything), it’s more like a temporary status change. Also, it is still available via TestFlight. But to make it available again in the App Store Apple awaits from me an app transfer from my individual account to some company or organization account.

Currently I’m evaluating available options and possible risks for the future of DNSCloak.

It would be great to hear your thoughts.

[jedisct1]

This is extremely sad news.

And I don't fully understand why a distinction is made between apps submitted by a company/organization and by an individual.

DNSCloak is by far the best DNS app ever written for a mobile platform. It being banned would be a huge loss.

[ameshkov]

But to make it available again in the App Store Apple awaits from me an app transfer from my individual account to some company or organization account.

@s-s why is it not viable to register a company account? It'll take some time indeed, but there're no serious risks there.

If you 100% want to avoid messing with a company account, I guess we can try to help you with publishing DNSCloak. You know my Telegram username, we can discuss the details there or in person when I am back to Moscow.

[moba]

Sounds like we might be able to help ( www.techcultivation.org, a non-profit company based in Germany serving as "legal host" for free software projects ). You can find us on OFTC #techcultivation or get in touch via email.

[peterlewis]

It might be worth having a chat with @keeshux as I believe that he was in a similar position with his OpenVPN app, Passepartout.

[s-s]

@jedisct1, @ameshkov, @moba, @peterlewis, everyone from Twitter and Reddit - thank you all for your help! I have contacted techcultivation.org and hope that we can make a collaboration.

@jedisct1, IMHO there are two main reasons for such policy changes:

1. Roots come from China’s VPN regulations. In order to run a VPN service in China one need a license from their government. This license can be obtained by a (China located) company only (I can be mistaken). Apple first introduced such ASRG changes two years ago, by requiring a company to have all appropriate licenses for all target countries.
2. Facebook - Cambridge Analytica scandal. App Store has tons of different VPN and proxy apps. A lot of them don’t disclose their data usage/privacy policies (they were optional to provide till iOS 12 release). In fact iOS developer (depending on the used features) has up to a full access to raw network traffic transferred via his network extension/VPN profile, so it can be used in many ways besides expected data transfer from point A to point B.

I guess Apple as a distributor wants to limit their risks by decreasing the subset of such apps artificially. Also companies are more comfortable to sue with. Just business. IMHO main problem here is that Apple doesn’t look deep into specific use cases/implementations (I’ve tried to influence it and to talk to their representatives several times over the last two years but without much success). Either it is a secure DNS protocol client, Tor network client, HTTP(S)/SOCKS proxy, local filtering proxy of any form or even some exotics like TCP-over-ICMP (ptunnel) - they are all “VPNs” for Apple, just because you are using the same network extension framework provided by native iOS SDK and have no other options. Even if you have no access to transferred data itself, no backend services and/or making them fully user customizable, you are a VPN service. Duck typing as it is.

@ameshkov, thank you for the proposition! I really appreciate your help! Honestly, I think that our country is not the best option for such organization for many reasons (mostly due to “VPN changes” for 149-FZ in 2017 - you know that this law defines such services too broadly, so almost anything fits it - this may cause various consequences to a company located here). However I believe we are going to meet each other in person sooner or later. :)

@peterlewis, as far as I see Passpartout is available via TestFlight only. TestFlight has more loose review process (in practice only some checks are applied, only the first build within any specific version is checked, then you can push as many builds with any changes but the same version as you want without any review). I’ll try to contact @keeshux, but I guess he is going the same way.

[cleanbrowsing]

@s-s @jedisct1 If we can help in any way, let us know. We have a corporate account and would be happy to help. We love DNSCloak.

[tekman8]

Thanks for the add to Testflight! Truly missed this fantastic app. :)

[Payu96]

Is it possible that I get the IPA (to sign the App myself) or a Testflight invitation? Mail: testflight@payerl.eu

[jedisct1]

Until this is resolved, it would be nice to keep this thread about how to get the software back to the store, rather than ask the author to send individual copies to everyone. Thanks.

[ZonD80]

I can provide you access to European legal entity (we have corporate account on apple store) PS: live in Moscow, so we can meet IRL. You can contact me via telegram with my nickname.

[Daou]

I think going with http://www.techcultivation.org/ is a great option. If that doesn’t work out I can offer https://www.smal.de which is a software agency owned by me and based in Munich, Germany 🇩🇪 But let’s see, tech cultivation sounds like an ideal place for the app.

[moba]

We have agreed to host it, and are currently waiting for Apple's validation of our account. We even found a spare Apple device to use for their mandatory proprietary 2FA. :)

[lancelot-moon]

Hi, I like DNSCloak. Why was only DNSCloak taken off from app store? Sergey's other apps which use VPN API are still on app store if you say that Apple doesn't allow individual developers using VPN API. ex: AdCloak...

[hcarrega]

Orcloak is off to Since I trial orcloak I can still subscribe

[hcarrega]

Btw people o are previous on TestFlight still continue getting updates?