Starting in iOS 26, you can create a new type of filter, a URL Filter, which makes content filtering decisions based on the full URL.
URLs can reveal sensitive information like unique identifiers, or browsing history. Network Extension is designed to allow you to build a content filter that makes accurate filtering decisions based on the full URL. But the URL contents are not revealed to the app, and all database queries to the backend servers are anonymized to protect privacy. The entire chain of backend servers, both Apple’s and your servers, will have no access to any of the content and identity information. URL Filtering is performed with your URL data set, containing URLs you want to block. You provide an on-device prefilter and an off-device database server for URL lookups.
Sounds like a better way to filter traffic than using a custom DNS, because it doesn’t give access to your traffic and it supports filtering entire URLs, not just the domains.
I agree! I’m surprised this wasn’t even discussed more widely. Does Android have an equivalent? Has any iOS developer made any announcements related to this?
So as I mentioned, the only thing you can do with NEURLFilterManager right now is to allow or deny URLs, not selectively route them through a VPN vs. not. See Apple docs here.
There is an existing APIs that allow per-URL split-tunneling: NETransparentProxyManager, but that is macOS only and very rarely used so I’m sure there are a lot of bugs.
Another limitation on the technical side is that any per-URL split-tunneling requires that the application uses Apple’s Networking APIs to make connections, so that the system knows which URL is being requested. Any app that use the old BSD sockets interface or does its own DNS resolution (which is what I think most browsers aside from Safari does) will appear to NETransparentProxyManager without the URL information, so it can’t make the correct decision.
My current thinking is that per-URL split-tunneling is best done at the browser level.
Per-App split-tunneling is more feasible, but on iOS, it currently requires that the user’s device be a “managed device” (Apple docs link). We may look into this some more, but we don’t feel comfortable placing our users’ devices under our management.
We really hope that Apple loosens the restrictions on per-app split-tunneling for iOS so that users can self-configure without being a “managed device”, since it seems to be fully implemented already, just with this arbitrary restriction.
My understanding is that it also only works with apps which were installed (and managed) by the MDM, so it’s a no-go for regular App Store apps anyways.
I’m confused. This thread is from 2025, but Adguard apparently offers this for the last few years. The problem is that Adguard uses a VPN slot, so I can’t do system-level DNS filtering if I want to use ProtonVPN.
If I were to guess, it’s because Apple’s a bit over-protective and doesn’t want VPNs breaking apps selectively, but who knows their internal logic
Yeah this is quite annoying with iOS, on macOS you can layer VPN. For example, I use Tailscale with Obscura on macOS.
However, if you install a DNS profile on iOS or macOS (e.g. NextDNS), you can use it with a VPN as long as the VPN support it (in Obscura it’s the “Use installed custom DNS profile” option)
