Thumbnail image

Encrypt DNS in iOS 14 applications

Thu, Feb 25, 2021 3-minute read

In iOS 14, Apple introduced support for passing the DNS queries over HTTPS (DoH) or TLS (DoT). So why bother encrypting DNS queries when HTTPS is widely in use? Because if someone (ISPs, on-path routers, law enforcement agency, etc.) is eavesdropping on your application’s unencrypted DNS queries, they will be able to map which API / services your application uses and potentially “map” your service.

You can read more about DoH and DoT here

Unencrypted DNS

To better understand how easy it is for someone to eavesdrop on unencrypted DNS queries, let’s run the following sample code:

To eavesdrop on the DNS queries, I will use Wireshark, a well-known network protocol analyzer.

As you can see in the figure below, Wireshark mapped the service and its IP addresses used in the sample code easily.

Moreover, since the DNS messages are unprotected, other attacks are possible:

  • Queries could be directed to a resolver that performs DNS hijacking.
  • Firewalls can easily intercept, block or modify any unencrypted DNS traffic based on the port number alone.

Encrypted DNS using DoH/DoT

Encrypted DNS (DoH or DoT) mitigates the privacy issue illustrated above. To decide which one is better to use, you can read multiple articles on the web that compare DoH to DoT, but it all boils down to these points:

  • DNS over TLS may seem faster as it’s one level lower, but based on benchmarks, that’s not the case.
  • It’s harder for mediators to monitor and censor DNS queries if it’s DNS over HTTPS. It looks like regular HTTPS traffic, while DNS over TLS requires separate port usage, namely: 853.
  • Even with encrypted DNS, TLS connections contain unencrypted domain names (SNI). TLS 1.3 mitigates it.

Based on the above, DoH is a definite winner. 🤖

On iOS 14, to make use of DoH, we need to configure the NWParameters.PrivacyContext with a DNS (which supports DoH) resolver’s central host HTTPS and its backup hosts IPs.

Running the sample code using DoH configuration resulted in Wireshark failing to pick up any of the DNS queries made.

🎉 🎊🎉 🎊🎉 🎊🎉 🎊🎉 🎊🎉 🎊

For applying encrypted DNS using the Network framework, you can take a look at Apple’s WWDC 2020 session: Enable encrypted DNS.

Many DNS resolvers, such as Google, Cloudflare, Alibaba, etc., support encrypted DNS. Therefore, I have created an enum that implements NWParameters.PrivacyContext configuration for each provider, for your convenience.

In summary, iOS14 added support for encrypted DNS and, in particular, DoH, which enhances privacy significantly. I strongly recommend using it in your applications, and if you still have concerns, Apple teamed up with Cloudflare and Fastly to further improve DoH by introducing Oblivious DoH.

The End.