Fix for TunnelVision attack, or disable DHCP option 121

We're looking at mitigation options for the TunnelVisioning attack that exploits DHCP option 121 to set routes. It looks like Per-App VPN doesn't have the problem, but in standard mode we aren't able to touch potentially malicious host routes, so while we can mitigate it we can't eliminate the security problem completely.

Is there any way to tell iOS and macOS to ignore DHCP option 121? Or even better, does Apple have a fix in the works?

I'm curious whether this even applies: does macOS even support option 121? Incidentally, if yes, which component should take care of that?

Fix for TunnelVision attack, or disable DHCP option 121
 
 
Q