Security model

How SwiftSieve handles DNS traffic.

SwiftSieve is a DNS filtering tool, not a VPN service. It is designed to block known trackers (and anything else you want to block) at the DNS layer using Apple’s DNS Proxy API.

High-level architecture

When you enable SwiftSieve in iOS settings, the system sends DNS queries to the SwiftSieve DNS Proxy extension instead of directly to a local resolver, or your ISP's DNS resolver.

  • SwiftSieve relies on NEDNSProxyProvider, not a full-tunnel VPN.
  • Block lists and the allowlist live in a shared App Group so the extension and app can read the same data.
  • Non-blocked DNS queries are forwarded to Cloudflare DoH at https://cloudflare-dns.com/dns-query.
  • Blocked domains get an NXDOMAIN response.

Threat model & goals

SwiftSieve targets a narrow, clear threat model. It is built to:

  • Reduce tracking and advertising domains that rely on DNS lookups.
  • Make it easier to understand what trackers or unwanted domains your apps are attempting to reach over DNS.
  • Give users a simple way to block and allow traffic on their devices.

SwiftSieve is explicitly not designed to:

  • Provide anonymity or hide your IP address from destinations.
  • Break state-level surveillance or stop sophisticated adversaries.
  • Replace a full-tunnel VPN for untrusted networks. It only works via DNS.

What SwiftSieve does

  • Receives DNS queries from iOS via the DNS Proxy API.
  • Checks the requested domain against bundled block lists and your own custom lists.
  • Applies your allowlist first: any domain on the allowlist is never blocked, even if it appears in a block list.
  • For blocked domains, returns NXDOMAIN to the system.
  • For allowed domains, forwards the query to Cloudflare using DNS-over-HTTPS.
  • Appends blocked domains to a local block log stored in the shared App Group.

What SwiftSieve does not do

  • Does not intercept or decrypt HTTPS traffic. Only DNS queries are inspected.
  • Does not redirect blocked domains to another host; iOS simply receives NXDOMAIN. This means that your device will just fail to resolve the domain.
  • Does not implement ANY SDKs or tracking services whatsoever. If this canary is removed, you can consider that SwiftSieve has been compromised. (Canary as of February 2025.)
  • Does not act as a generic web proxy or content filter beyond DNS.

Cloudflare as your system-wide DNS upstream resolver

At this time, SwiftSieve sends all non-blocked DNS queries to Cloudflare DNS-over-HTTPS:

  • Endpoint: https://cloudflare-dns.com/dns-query
  • There is no way to configure a different upstream resolver in this version. This is something we may add in the future, but for now, it is just Cloudflare!
  • You can review Cloudflare’s public documentation for details on how they handle DNS queries here: Cloudflare DNS-over-HTTPS FAQ.

Code transparency

The DNS proxy extension and app code live in the public GitHub repo. You can audit the implementation, open issues, or submit pull requests:

SwiftSieve2 on GitHub

Questions or reports

If you spot a security issue, have questions about the implementation, or want to discuss improvements, please reach out: