DNS encryption blocked

I‘v install a profile that enables encrypted DNS on my iOS 14 device but got a notice that DNS Encryption was blocked in my network. Is it something I can deal with by changing settings in my router?

Replies

Interesting. Do you also have a VPN running that is handling DNS on your device? Do you have any onDemandRules that enable your NEDNSSettingsManager? Are your DNS settings enabled in the Settings App?

Also, do you have a policy on your network that filters DNS queries and blocks encrypted DNS? This would cause a failure like the one you are describing. See more around the 10:00 mark here.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
I had no vpn running on device that handles dns and settings were good as well.
After switching the profile I installed to a non-filtering profile and reset WiFi connection, the notice was gone. Interestingly, i received no notice even for filtering one now.
Still don’t understand where’s the problem but it finally works.

Thank you so much!
No problem. Was there a filter on a network server you were connecting too? If you still run into intermittent issues like follow up on this thread as something may be going on that we need to take a look at.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
I am not a developer, I just know the profile I installed was to connect a dns sever which was capable of filtering ads and trackers. If the notice appears again I will post here. Thanks again.
Hello—I'm also encountering the "blocking encrypted DNS" privacy warning message on my network. In my case, I have not yet installed any encrypted DNS profiles or apps.

I happen to control the network, and I have no intentional policies in place restricting outbound traffic . I do operate a local DNS forwarder that resolves certain company internal domains not resolvable on public DNS servers, but today we do not block any known canary domains to force use of the resolver.

Is there any documentation on the algorithm being used to determine if encrypted DNS is blocked? Is there any caching such that, say, a one-off failed DNS query could cause a network to get flagged and remain flagged?
@lucasec

Is there any documentation on the algorithm being used to determine if encrypted DNS is blocked?

There is not. You can take a look at the WWDC 2020 video for more information on this.
<https://developer.apple.com/videos/play/wwdc2020/10047/>
It's around the 9:55 mark.

Also, you may want to look at the device for another app that is using Encrypted DNS on your network that may be triggering this warning.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
```

[
I’m in the same boat 🛥 I figured I’d throw up a screenshot of the warning on iPhone 11pro max 14.5 beta 5. Not currently using a VPN I have a Netgear xr700 router running as DHCP *cough* still waiting for duma 3.0 *cough* feeding a Netgear s8000 switch, generic linksys 8 port switch and a Netgear ac1900 running as a wired network extender at the end of 200’ all while pumping out 2.4 5ghz and 60ghz ]
(https://imgur.com/gallery/77bm3zf)


```


Easiest fix was to add a manual dns to 8.8.8.8 then for get the forget the network and reconnect and ahhhh fixed !!


your welcome
  • This was it! Thanks so much. Changed DNS to manual and to 1.1.1.1 (Cloudfare for me), forgot the network from the device, reconnect and warning is gone!

Add a Comment

Manual DNS Works for me too but the problem remains.

Has there been any progres for a permanent fix of this problem? We're still seeing false positive errors with IOS Version 15.2.

We're an ISP and have a few customers with this problem. Unfortunately we weren't able to reproduce the problem. If we install the Cloudflare 1.1.1.1 app to enable system wide DNS encryption using the cloudflare servers we can see the encrypted traffic and everything is just working fine (traffic doesn't get filtered by the router/network).

Our users are using their local wifi router (various different vendors/models) as DNS server (standard caching DNS server, learned via DHCP, no encryption) and have no VPN or DNS profile configured. Neither the wifi routers or our network is blocking encrypted DNS traffic.

Rebooting or forgetting/readding the wifi connection fixes the problem temporarly but at some time the error is showing up again. Apparently disabeling the "Private Address" option + forgetting the profile again is currently the best workaround.

Our current theory is that some app is forcing the use of encrypted DNS (only for that app) and for some reason other than filtering (bad wifi, dns server down, ...) the connection can't be established resulting in the wifi network being permanently marked with with this error. No re-test is happening to remove the error again.

Not sure how disabeling Private Address helps with the problem. I can only imagin that the DNS availability test is happening at the same time as the MAC address change and that the phones are unreachable for a short moment during the change, resulting in the DNS test to fail.

It would be great if some apple engineer could explain how exactly the DNS test works so we can help debugging it.

Hi Freddy. 

Workaround can be found in "community.plus.net/t5/Everything-else/IPhone-iPad-Mac-The-network-is-blocking-encrypted-DNS-traffic/m-p/1846737" (Hope I am not doomed now by sharing this link) 

I chose solution number 1 by adding "mask.icloud.com" and "mask-h2.icloud.com" in the white list on my Deco X60 router. I also chose 1.1.1.1 as my main DNS and 1.0.0.1 as alternative pointing to Cloudflare. After a check at https://1111/help my iPhone 11 iOs 15.2.1 showed ”Using DNS over HTTPS (DoH) YES” and I have not seen the ”DNS encryption blocked” anymore on my Wifi 2.4Ghz / 5Ghz.

Apples reference can be found at https://developer.apple.com/support/prepare-your-network-for-icloud-private-relay/ so it is a known issue and workaround so must be legit.

Hope this will help you and your clients. It did for me thanks to Neil Townsend :-)

Good Luck!