User profile for user: Mister77777
Mister77777 Author
User level: Level 1
58 points

Apple with iOS 14 pokes a hole in local DNS-policies and filtering with query type 65 (HTTPS)

Hi!


I use an external DNS services like Cloudflare Family Filter and Cleanbrowsing Adult Filter for filtering out adult content. One of it's great features is that it enforces Safe Search mode for Google, Bing and such. It has been working great on ALL my devices until I recently upgraded my iPhones to iOS 14. The other devices and computers are correctly enforcing Safe Search, but iPhones with iOS 14 have issues concerning this, especially regarding "www.bing.com"


For example: when a device or a computer lookup "www.bing.com", CloudFlare Family Filter and Cleanbrowsing Adult Filter return "strict.bing.com". This is the normal case on my local network until iOS 14 entered the building.


To test the issue at hand, you can search for the word "sex" and it should return nothing. If it does, iOS 14 is circumventing your DNS policies and rules, and also circumventing Cloudflare and Cleanbrowsing.


After looking into different scenarios, like problems with Cloudflare or Cleanbrowsing, I started to look at the DNS log files and saw the following:


dnsmasq[####]: 192.168.1.### query[type=65] www2.bing.com from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2.bing.com to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### forwarded www2.bing.com to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### query[A] www2.bing.com from 192.168.1.###
dnsmasq[####]: 192.168.1.### cached www2.bing.com is 204.79.197.220
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### query[type=65] www2-bing-com.dual-a-0001.a-msedge.net from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2-bing-com.dual-a-0001.a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### query[A] www2-bing-com.dual-a-0001.a-msedge.net from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2-bing-com.dual-a-0001.a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### dnssec-query[DS] a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### reply a-msedge.net is no DS
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### reply www2-bing-com.dual-a-0001.a-msedge.net is <CNAME>
dnsmasq[####]: 192.168.1.### reply dual-a-0001.a-msedge.net is 13.107.21.200  #UNRESTRICTED
dnsmasq[####]: 192.168.1.### reply dual-a-0001.a-msedge.net is 204.79.197.200 #UNRESTRICTED


Hm... what is going on here? Eureka! Apple is sending DNS queries with type set to 65, which is returning the unrestricted version of "www.bing.com".


Query Type 65 is:


HTTPS Binding: RR that improves performance for clients that 
need to resolve many resources to access a domain. 
More info in this IETF Draft by DNSOP Working 
group and Akamai technologies.


So when the iPhone looks up "www.bing.com" with the query type set to 65 it is forwarded to Cleanbrowsing and Cloudflare which are also sending it forward, totally bypassing there filters.


Posted on Nov 25, 2020 10:04 AM

Reply
5 replies
User profile for user: Mister77777
Mister77777 Author
User level: Level 1
58 points

Nov 25, 2020 11:22 AM in response to KiltedTim

Well, I don't think the community understands the clear ramification of this, yet. This is and WILL be of huge concern for schools, companies, universities and families that enforce DNS filtering. Network admins of all sizes have a struggle concering this issues. It's about protecting children.


Question: is there an option in iOS 14 that one could disable these kind of DNS queries to enforce DNS filtering.

Reply
User profile for user: Mister77777
Mister77777 Author
User level: Level 1
58 points

Nov 25, 2020 11:40 AM in response to deggie

Technical explaination:


When my local DNS-server receives query type 65. It's is not a normal A-type query (IPv4). Hence, it does'nt understand or can not handle it and forwards it upstream to CleanBrowsing and/or Cloudflare. They should in normal situations return "strict.bing.com" but they also forwards it to an upstream DNS-server and returns the answer. Bing doesn't enforce strict.bing.com, it's Cleanbrowsing and Cloudflare that are bypassed by type 65.


Can you bypass this many DNS-filters (local and upstream, like Cloudflare) you could probably bypass them all, is my concern here.


So I think that Apple has not been upfront about this could break local DNS policies, like Safe Search. That's why we will see school authorities and companies will have to address this.


That is my question, is there an option to disable type 65 DNS queries? There should be for child protection!



Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Apple with iOS 14 pokes a hole in local DNS-policies and filtering with query type 65 (HTTPS)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up