Security model

How SwiftSieve handles DNS traffic.

SwiftSieve is a DNS filtering tool, not a VPN service. It is designed to block known trackers (and anything else you want to block) at the DNS layer using Apple’s DNS Proxy API.

High-level architecture

When you enable SwiftSieve in iOS settings, the system sends DNS queries to the SwiftSieve DNS Proxy extension instead of directly to a local resolver, or your ISP's DNS resolver.

• SwiftSieve relies on NEDNSProxyProvider, not a full-tunnel VPN.
• Block lists and the allowlist live in a shared App Group so the extension and app can read the same data.
• Non-blocked DNS queries are forwarded to Cloudflare DoH at https://cloudflare-dns.com/dns-query.
• Blocked domains get an NXDOMAIN response.

Threat model & goals

SwiftSieve targets a narrow, clear threat model. It is built to:

• Reduce tracking and advertising domains that rely on DNS lookups.
• Make it easier to understand what trackers or unwanted domains your apps are attempting to reach over DNS.
• Give users a simple way to block and allow traffic on their devices.

SwiftSieve is explicitly not designed to:

• Provide anonymity or hide your IP address from destinations.
• Break state-level surveillance or stop sophisticated adversaries.
• Replace a full-tunnel VPN for untrusted networks. It only works via DNS.

What SwiftSieve does

• Receives DNS queries from iOS via the DNS Proxy API.
• Checks the requested domain against bundled block lists and your own custom lists.
• Applies your allowlist first: any domain on the allowlist is never blocked, even if it appears in a block list.
• For blocked domains, returns NXDOMAIN to the system.
• For allowed domains, forwards the query to Cloudflare using DNS-over-HTTPS.
• Appends blocked domains to a local block log stored in the shared App Group.

What SwiftSieve does not do

• Does not intercept or decrypt HTTPS traffic. Only DNS queries are inspected.
• Does not redirect blocked domains to another host; iOS simply receives NXDOMAIN. This means that your device will just fail to resolve the domain.
• Does not implement ANY SDKs or tracking services whatsoever. If this canary is removed, you can consider that SwiftSieve has been compromised. (Canary as of February 2025.)
• Does not act as a generic web proxy or content filter beyond DNS.

Cloudflare as your system-wide DNS upstream resolver

At this time, SwiftSieve sends all non-blocked DNS queries to Cloudflare DNS-over-HTTPS:

• Endpoint: https://cloudflare-dns.com/dns-query
• There is no way to configure a different upstream resolver in this version. This is something we may add in the future, but for now, it is just Cloudflare!
• You can review Cloudflare’s public documentation for details on how they handle DNS queries here: Cloudflare DNS-over-HTTPS FAQ.

Code transparency

The DNS proxy extension and app code live in the public GitHub repo. You can audit the implementation, open issues, or submit pull requests:

SwiftSieve2 on GitHub

Questions or reports

If you spot a security issue, have questions about the implementation, or want to discuss improvements, please reach out:

• Email: support@swiftsieve.com
• Or if it is not sensitive, open an issue in the GitHub repo.