diff options
| author | Emīls <emils@mullvad.net> | 2023-02-01 14:06:36 +0100 |
|---|---|---|
| committer | Emīls <emils@mullvad.net> | 2023-02-01 14:06:36 +0100 |
| commit | 51e02fbb4605616c9ffa838f815bb89bb9dda1c7 (patch) | |
| tree | 4e1f839567df413b911d95a2093d7be3c4e27c8d /docs | |
| parent | 5e86e08df425ee94d901c00cd406bc38fc9c24f7 (diff) | |
| parent | 862904a45867471a99caf3b1d7bc860115e5186c (diff) | |
| download | mullvadvpn-51e02fbb4605616c9ffa838f815bb89bb9dda1c7.tar.xz mullvadvpn-51e02fbb4605616c9ffa838f815bb89bb9dda1c7.zip | |
Merge branch 'add-extra-hostname'
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/allow-macos-network-check.md | 16 |
1 files changed, 11 insertions, 5 deletions
diff --git a/docs/allow-macos-network-check.md b/docs/allow-macos-network-check.md index dc2c9cd510..30fe849b9e 100644 --- a/docs/allow-macos-network-check.md +++ b/docs/allow-macos-network-check.md @@ -6,20 +6,26 @@ daemon relies on the routing table to obtain a default route to route traffic to and since macOS's network reachability seemingly does too, the daemon won't be able to connect to a relay and thus stay in the blocked state for a prolonged time. The default route is only published when macOS finishes or times out its captive portal check. The captive portal check involves -looking up `captive.apple.com` and issuing an HTTP request to the resolved address, and by default, -if the app is blocking traffic, none of these network operations can take place, so the timeout is -always incurred, which forces the app into the offline error state for a prolonged time. +looking up specific captive portal domains and issuing an HTTP request to the resolved address, and +by default, if the app is blocking traffic, none of these network operations can take place, so the +timeout is always incurred, which forces the app into the offline error state for a prolonged time. To not have to wait for macOS to time out its captive portal check, the app should allow the captive portal check even when it's in a blocking state, whilst still blocking all arbitrary DNS traffic. However, only a DNS response is required to appease the connectivity check - and it doesn't even need to be valid. As such, during blocked states the app can run a custom resolver that only -responds to queries for `captive.apple.com` to allow macOS to do its connectivity check. Since no +responds to queries for captive portal domains to allow macOS to do its connectivity check. Since no lookups have to be made, no traffic needs to be leaked. # Overcoming these issues in the daemon. To allow the connectivity check to pass when blocking traffic, the daemon runs a custom resolver that listens only on localhost on an arbitrary port. Traffic to it is only redirected during blocked -states. The resolver only replies to queries for `captive.apple.com`. The resolver won't actually +states. The resolver only replies to queries for captive portal domains. The resolver won't actually send any packets besides replying to DNS query that originates from localhost. + +### List of currently known captive portal domains + +- `captive.apple.com` +- `netcts.cdn-apple.com` + |