back to article Macs, iPhones, iPads to get encrypted DNS – how'd you like them Apples?

Apple this year will boldly go where its peers have gone before by implementing support for encrypted DNS in iOS and macOS. "Starting this year, Apple platforms natively support encrypted DNS," said Tommy Pauly, internet technologies engineer, in a video presentation for Apple's 2020 Worldwide Developer Conference, virtualized …

  1. HildyJ Silver badge
    Thumb Up

    Default?

    Better late than never. But, they really need to make it on by default.

    I'm using Firefox and when I went to check if I had the option, I found that one of the updates had given me the option and enabled it automatically and, if want or need to, I can disable it.

    From a user point of view, this is how it should work.

    1. Steve Davies 3 Silver badge

      Re: Default?

      It is optional because there are a lot of DNS providers out there that still don't support it. Over time, this won't be a problem and the default will be changed to 'ON' and there will still be a lot of teeth gnashing by those who don't like any changes at all.

  2. Kevin McMurtrie Silver badge

    Big G

    Then install Chrome so everything you type into the address bar is collected by the world's largest private data hoarder.

    1. The obvious

      Re: Big G

      By privacy they meant private from everyone else, not from them apparently...

  3. chivo243 Silver badge

    Better late than bleeding edge?

    I thought there were reservations regarding DoH? I thought I read here as well.

    https://www.theregister.com/2020/02/25/mozilla_turns_on_dns_over_https_by_default_for_usa/

    1. Twanky Bronze badge

      Re: Better late than bleeding edge?

      The problem is it can bypass private DNS servers.

      For example, I use a pfsense firewall with DNS which then points to a pihole. This gives me split horizon DNS at the same time as keeping Facebook and the like off my inner networks. If a browser is configured to use DoH then this functionality is compromised.

      Obviously what I'm describing is a small home rig but big boys' and girls' networks can be similarly compromised by a software upgrade of a browser.

      Cloudflare may have promised to be virtuous and not prat-about with the DNS lookups - but I *want* to block or redirect lookups of certain malicious domains.

      1. fwadman

        Re: Better late than bleeding edge?

        The trouble with the increased encryption is that it makes life for everyone a lot harder than it needs to be and most people get very little benefit from it. People have confused the need to know content is not tampered with the need to hid what you are doing. The ill informed mass move to HTTPS makes everything slower because it kills proxies.

        Exactly the same issue with DNS and HTTPS - it's a completely stupid idea and what's worse - it's very hard to block. What this does mean is that going forwards my own top level cert will be installed on machines in my local network and all web traffic will be going via active man-in-the-middle proxying (i.e. my web proxy generates fake SSL certs on the fly and decrypts and re-encrypts traffic). This will allow me to block this mess - however I'm now actively breaking the entire SSL security model.

        Kids these days - havne't got a clue :(

        1) When I'm browsing the BBC new website - I care that the content I get is from them - but it's public content

        1. doublelayer Silver badge

          Re: Better late than bleeding edge?

          If you are already willing to generate a cert, get it into the trust stores, and build a device to MITM your traffic, you might as well just disable encrypted DNS queries on the devices instead. I don't know of anything that prevents you from using cleartext DNS. Finding and switching those settings will take less time and processing than building and running an HTTPS-interrupter.

          If you also want to block encrypted connections, you can find the addresses of the existing (not very many) DoH servers and create firewall rules that drop traffic going to ports 443 or 853 on them. If you are concerned that some piece of software will refuse to honor your DNS settings and will also use a secret resolver, you probably have more to worry about than how it resolves URLs.

        2. Kevin McMurtrie Silver badge

          Re: Better late than bleeding edge?

          I have to upvote this. A digital signature in a trailing header would be so much more efficient for public content. I worked at a company that did this for a lot of internal data that didn't need privacy but did require integrity.

      2. Recluse

        Re: Better late than bleeding edge?

        Going "off topic" if you are already using pfsense, I would highly recommend that you investigate using its inbuilt DNS server (DNS Resolver) along with a superb third party add on package (installed from its package manager) called pfBlockerNG-devel (current version 2.2.5_33) which has massively more functionality than PiHole eg can also block IP's by ASN (auto updating).

        Handy when you block certain domains, the owners of which then hard code IP's in their code to circumvent DNS blocking - yes Microshaft I am looking at you

        1. Probie

          Re: Better late than bleeding edge?

          I use(d) blockerNG to kill of facebook and youtube, unfortunately its virtually impossible to do, unless you have a complete list of every ASN they use, and in the case of youtube etc ,,, you are likely to kill off the google search engine as well. I don't do this because I am worried about anyone knowing my internet habits, I do it to stop the tories screaming about the kids exposure to unsuitable content, like you tube tory adds!!

      3. robidy Silver badge

        Re: Better late than bleeding edge?

        The unintended consequence (there is always one) is corporate will be more likely to decrypt traffic, enterprise grade devices support this.

      4. The Specialist

        Re: Better late than bleeding edge?

        PF you say.

        Here you go:

        pass in quick to $bad_dns rdr-to $adblock_server

        Also you can replace add block with

        https://geoghegan.ca/unbound-adblock.html

        and extend via:

        https://geoghegan.ca/pfbadhost.html

      5. Lotaresco Silver badge

        Re: Better late than bleeding edge?

        " I use a pfsense firewall with DNS which then points to a pihole."

        I'm wondering why you do that. PfblockerNG does everything that a pihole does and it integrates with DNS resolver. It also logs natively on your pfsense firewall so that you can see what's going on and get alerts via the web interface. It even uses the same blocklists as pihole.

  4. Blank Reg

    "late to the party" should be Apple's corporate slogan.

    1. Anonymous Coward
      Anonymous Coward

      I know this might conflict with your ideological aversion to Apple (aka prejudice) but by taking the time they generally get things right and end up with a more robust solution. And I'm not suggesting that their products are perfect by saying this.

    2. bombastic bob Silver badge
      Meh

      considering how Micros~1's phone OS has been such an *EPIC* failure, the award for "late to the party" REALLY belongs to Micros~1 !!!

      And when you consider that the encrypted DNS providers are probably SNOOPING on everything themselves, it's kinda pointless outside of a public wifi or "behind the filtering firewall" setting. Oh, but you get to CHOOSE who snoops on you! O...K...

  5. tip pc Silver badge

    Good & Bad

    1st, i'm using DoH at home, my Pi Hole & Cloud os servers get their dns from cloudflare via a locally hosted DNS -> DoH proxy & dns is dropped on my fw.

    2nd i can block normal DNS at my fw, i can't block https unless i wan to break the internet for my household, or install a proxy.

    i really don't want my local systems being name checked against the internets dns servers, i also don't want any random IoT crap on my net or apps i install on my laptop/phone being able to do dns look ups to stuff i can't block & without me knowing!

    This is good for privacy but terrible for securing your home systems against unfettered outbound comms.

    will be migrating to pfsense soon & will need to build a Man In the middle capable proxy to inspect outbound traffic.

    1. VicMortimer

      Re: Good & Bad

      If a black box IoT device wants to connect to something unsavory, why would it need DNS at all?

      Hardcoded IP addresses work fine for that.

      1. DeKrow

        Re: Good & Bad

        Harcoded IP addresses fits the "built-in obsolescence" mould. Isn't it far too short-sighted though?

      2. The Specialist

        Re: Good & Bad

        No it wouldn't work fine if you are running a proper firewall.

    2. doublelayer Silver badge

      Re: Good & Bad

      Not all of that is as concerning as you imply.

      "2nd i can block normal DNS at my fw, i can't block https unless i wan to break the internet for my household, or install a proxy."

      You can do a pretty good job if you want to. CloudFlare's resolvers on IPV4 are in the range 1.1.1.1-3. So you can set up a firewall rule: Source: [local_addresses] Destination: 1.1.1.1-3, Port: 443, Packets: drop. Do that for a couple providers and DoH becomes difficult.

      "I really don't want my local systems being name checked against the internets dns servers,"

      If you do enter a local address into something that sends it to an external resolver, that resolver won't be able to find the address, so you'll instantly know you have to fix DNS for the affected application to point it at the server that will work and will protect your addresses. While I understand that you might not want to send your internal requests by accident because you're concerned that a resolver will leak them, knowing your internal DNS names really shouldn't be very relevant to an attacker without additional access, and with that additional access the attacker can find them out anyway. In addition, the likelihood of an attacker also running a default DoH server is unlikely, and the encryption on that protocol makes it unlikely that someone could steal them from the traffic to that provider.

      "i also don't want any random IoT crap on my net or apps i install on my laptop/phone being able to do dns look ups to stuff i can't block & without me knowing!"

      I agree wholeheartedly. The problem is that any app sufficiently malicious can already do this. We block the most straightforward way of loading unwanted content. Here are some others, and DoH is not needed for any of them:

      1. Hard-code an address into the code. Contact it directly. No DNS request sent at all.

      2. Hard-code the address of a DNS server, then use normal DNS to retrieve it, ignoring the network-supplied resolvers. This is the easiest to block if you have set up your network to send all requests on port 53 to your local resolver, but most networks aren't set up that way.

      3. Hard-code the address of a resolver which is willing to take requests on a different port. Not hard to set up by the attacker and finding out that it's happening requires inspection of packet payloads.

      4. Hard-code an address and use it to find additional addresses via some encrypted and difficult to track mechanism.

      5. Use the standard resolver to resolve something that's likely to get through, and host a resource there to allow resolution of other addresses. For example, hosting an encrypted database of addresses on Github.

      None of these ways will stand up to a manual analysis with Wireshark, but all will completely bypass the local DNS system without requiring DoH to be operating. In only one of the cases can a simple firewall rule help.

      "This is good for privacy but terrible for securing your home systems against unfettered outbound comms."

      I really don't think so. If some device on your local network starts contacting a random external IP, will your network allow it or not? If it would allow it, then the only restriction on your outbound comms is trying to prevent the local device from getting the right address. Given how many ways there are of getting an address, that's not a guarantee of anything. If it would not allow it, then it doesn't much matter if the device knows the address to use.

      "will be migrating to pfsense soon & will need to build a Man In the middle capable proxy to inspect outbound traffic."

      This seems like an overreaction. Unless you are confident that you can create something capable of parsing all that traffic and determining whether you would like it or not, the effort will only create an extra bottleneck for your network.

    3. DeKrow

      Re: Good & Bad

      I've got a similar set up to you, but already using pfSense as my gateway, Pi-Hole for blocking and plugs into Cloudflare's DoH service, and with outbound regular DNS queries all redirected to my Pi-Hole, I also share the same concern for the near future where potentially malicious IoT devices or phone apps start using their own in-built DoH, preventing visibility of what my own devices are doing (disclaimer re: "my own devices: that word may not mean what you think it means, yeah yeah).

      Will be looking into later commenters suggestion of blocking DoH traffic to anywhere other than Cloudflare, or limiting DoH traffic to only be allowed to come from the Pi-Hole.

      1. Recluse

        Re: Good & Bad

        Interesting article entitled “ A New Needle and Haystack: Detecting DNS over HTTPS Usage“ on the SANS Institute here

        https://www.sans.org/reading-room/whitepapers/dns/needle-haystack-detecting-dns-https-usage-39160

        IMHO for those who like to see what’s going through their networks and the security conscious, it does not make for happy reading ...

    4. Pete B
      Thumb Up

      Re: Good & Bad

      Before you go down the pfsense & MITM proxy have a look at Sophos' free offerings which have the functionality already in them - their home use UTM is retricted to 50 IP addresses behind it, whereas the free XG firewall is restricted to some number of cores and memory - you can either spin them up on your preferred virtualisation platform or a small PC as you like.

  6. Financegozu
    Paris Hilton

    Idiot-tax ...

    I have to have me called out an idiot by the author of this article because I use Apple gear. But if I call him retarded for using such a derogatory term, will my comment be blocked?

    1. This post has been deleted by a moderator

      1. Hubert Cumberdale

        Re: Idiot-tax ...

        I'm not an AC, but I still think people who take offence at such monikers (for which this site is well known) should get a thicker skin. If you look closely, you'll see they tend to aim sarcastic negs in all directions (although admittedly they do seem to send rather a lot of them in Apple's direction).

        1. Psmo Silver badge
          Trollface

          Re: Idiot-tax ...

          Personally, I find "retarded" (word used by the OP) far more offensive than "idiot", as one's a condition and the other can be a momentary lapse.

          Dumbasses.

    2. Stuart Castle Silver badge

      Re: Idiot-tax ...

      I use Apple gear. I am an Apple fanboi. I’m not offended by term idiot tax, because I know that el reg criticises *everyone* in the it industry. They also freely praise those who do well.

      Besides, I have far more important things to worry about.

      1. werdsmith Silver badge

        Re: Idiot-tax ...

        "Idiot Tax" was amusing at first but it's really really tired now. Ancient recycled old rubbish soon loses its comedy value and makes the writer look lazy.

        Other banalities includes: "crysis", "popcorn", "goes up to 11", "rounded corners" and many more. I wonder if the people using these trites imagine that they are being witty and original when they put them into a comment.

        1. Lee D Silver badge

          Re: Idiot-tax ...

          "Ancient recycled old rubbish soon loses its comedy value and..."

          sells for 3-4 times the price of other kit just because it has an Apple logo on it.

          It's hard to write good copy, especially in keeping with your target audience. Do you read every article? No, but someone has to write every one and if the article just said "Apple will enable encrypted DNS", you'd quickly get bored and go elsewhere.

          There are thousands of IT news sites out there. I like a little informality. I don't really care about cliche, it doesn't hurt or hinder me. If you're here for original comedy with every article, I really think you've chosen the wrong kind of site.

          And I use the words idiot-tax for all kinds of things - parking tickets, speeding tickets, designer gear, etc. etc.

          1. werdsmith Silver badge

            Re: Idiot-tax ...

            Bit straw-mannish there. Informality is fine, silliness and snark are fine. But the same thing every time... yawn.

            you'd quickly get bored and go elsewhere.

            That's exactly what happens because of these banalities. In fact it became a turn off about 4 years ago.

            If you're here for original comedy with every article

            Not asking for that at all. Just not seeing the exact same gag on every article for years on end.

            1. Hubert Cumberdale

              Re: Idiot-tax ...

              And yet, you're still here.

  7. Dahhah6o

    Before jumping on the DOH bandwagon, listen to what the man who really knows DNS thinks of it:

    https://www.youtube.com/watch?v=ZxTdEEuyxHU

  8. John Crisp

    Joy

    So I can do my own thing if I can build my own apps or have enterprise management etc etc but otherwise it will bypass my network control, ad filters, and slow down my users?

    And exactly which DNS providers are they going to force us to use?

    Joy.

    At least Moz allows a canary domain.

    As a small company we don't have the resources to do anything about it eg build apps etc

    So we'll just ban all Apple crap. Simples.

    1. tcmonkey

      Re: Joy

      I agree that DOH is a disease for many a-reason, but you should probably read the article a little closer...

      "boldly go where its peers have gone before" - I.e, everyone else is already doing this. Sounds like you already had a problem that you weren't aware of.

  9. Ian Joyner

    Bias

    Whenever Reg reports on Apple, it has to make some derogatory remark, like idiot tax or 'fanboi', etc.

    This really shows a lack of integrity in journalism to be able to report the facts and maybe making some intelligent editorial assessment. But the Register continually fails in this.

    1. Hubert Cumberdale

      Re: Bias

      That sort of silliness is a fundamental part of the reporting style here; there are other tech news websites you could frequent if you don't like it, but looking through your past comments, it seems this is an axe you grind here quite often. Your life might be more relaxing if you could let it go.

      1. werdsmith Silver badge

        Re: Bias

        Silliness is OK, but laziness is not really acceptable. They need to come up with something new instead of eternally recycling the same old gag.

        1. Robert Grant Silver badge

          Re: Bias

          No, they don't need to do that. Fanboi is just part of their lexicon. Finding fresh ways to troll Apple fanbois probably won't add any more readers.

  10. Anonymous Coward
    Anonymous Coward

    AdGuard

    I'm probably misunderstanding this whole security doo-dah but doesn't AdGuard (the full app, not the free browser plug-in) allow you to set that up already? It seems to claim that when it tells me it's encrypting my DNS queries...

  11. Anonymous Coward
    Anonymous Coward

    Who do you trust?

    It's jolly nice that Google "supports" it, but what about the intel they draw in by their advertising and even fonts, although that's due to caching more in the nature of so-called "atmospherics" (trends) than fully live data?

    I'm singling out Google per sé, they're just the simplest example of "protectors" who are better described as "pretenders". There are a lot of factors that need to be addresses before you can talk of true privacy protection - I'm glad there's one more but I don't think we're quite there yet.

  12. Lord Elpuss Silver badge

    Cupertino idiot-tax corp

    Gonna be hell when you go through puberty, Thomas.

  13. Anonymous Coward
    Anonymous Coward

    Does that mean theregister.com will now be known as kldfhgkdfhgjkdhfkjghdkf.com or something?

  14. Gonzo wizard Bronze badge

    Arrgh...

    There's a balance to be found somewhere but right now I prefer to use Little Snitch to restrict adverts and tracking via the browser, and then private browsing over VPN as the next layer up. The problem with DNS over TLS or HTTPS is that Little Snitch can't tell me the domain that's about to be visited :-(

    As long as it's an option, great. But the moment there's no other option, I (we all of us) need a way to be able to selectively block outgoing traffic - by domain name. Please.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020