DNS on IOS v14

Privacy & Security General
TODDZ OP
Created Oct ’20
Replies 1
Boosts 0
Views 3.2k
Participants 2
Hello,

I m network security engineer, my question is regarding the dns default configuration on IOS v14 : DNS encryption is not activated by default ? as per my understanding there is several ways to encrypt my DNS requests(DoT & DoH) : VPN, MDM profile, NEDNSSettingsManager( via IOS app) or integrated in the application code. i need to understand the order for those options to handle my DNS requests and which of them overides the others
Thnx
Replies  1
Boosts  0
Views  3.2k
Participants  2
Systems Engineer OP
Apple
Oct ’20

i need to understand the order for those options to handle my DNS requests and which of them overides the others

Here is a general take on Encrypted DNS:

1) New in iOS 14 and macOS 11 is NEDNSSettingsManager which does allow your Network Configuration to point to DoH or DoT for encrypted DNS. The benefit here is that you can simply setup your network configuration to encrypt DNS queries for the entire system by pointing the app's settings at a HTTPS and TLS resolver. The downside is that you do not have connection level or packet level control over this traffic because there is no network extension to handle the traffic from.

Enable Encrypted DNS WWDC 2020
<https://developer.apple.com/videos/play/wwdc2020/10047/>

2) For a managed configurations on iOS a NEDNSProxyProvider would be a flow based option to handle DNS queries at a system level by proxying a flow to an encrypted resolver. This would put more of the control in you hands, but also would require you to build the flow copiers and flow control needed to proxy your DNS queries to the encrypted resolves. The benefit here is that you have complete control over the remote side of the connection. This is a flow/socket based method for handling this action and is not packet based.

3) To handle a LIMITED amount of DNS traffic, you can opt in to handling specific matchDomains in your VPN packet tunnel. I will stress that this is to be used in a limited capacity. Do NOT try and use your VPN as a way to capture all DNS traffic on the system, you will run into lots of edge cases doing so and we have two APIs above for doing just that. Instead, define your NEDNSSettings with servers that you want to use for your match domains and setup a small sets of domains that you want to match and send the DNS traffic through your VPN tunnel. This is a packet based solution and not a flow/socket based solution.

As to what will cause conflict with the others, this will be something you need to test and will be dependent on what traffic is being pickup up in your VPN etc..

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
DNS on IOS v14
First post date Last post date
 
 
Q