User profile for user: QuarkSolution
QuarkSolution Author
User level: Level 1
4 points

iOS 18.5 shows that my networking is blocking encrypted DNS, while it's not

I have a local recursive DNS cache server that provides me with whole network ad-blocking. After RFC 9462 was ratified, I set up local encrypted DNS as well, with resolvable FQDN, and a valid certificate from Let's Encrypt. I even and set up proper answers to `_dns.resolver.arpa` queries, and in fact, in my DNS servers' query logs, I see Apple devices flooding the servers with `_dns.resolver.arpa` queries, all of which got the proper answer:


```

;; DEBUG: Querying for owner(_dns.resolver.arpa.), class(1), type(64), server(dns1.REDACTED.domain.tld), port(853), protocol(TCP)

;; DEBUG: TLS, imported 375 system certificates

;; DEBUG: TLS, received certificate hierarchy:

;; DEBUG: #1, CN=dns1.REDACTED.domain.tld

;; DEBUG: SHA-256 PIN: REDACTED_HsorNIrPXZZ9nbUyJGFBD79hvAtvQJ5jcM=

;; DEBUG: #2, C=US,O=Let's Encrypt,CN=E5

;; DEBUG: SHA-256 PIN: REDACTED_4y9J67c4guWTki8FJ+uudrXL0a4V4aRcrg=

;; DEBUG: TLS, skipping certificate PIN check

;; DEBUG: TLS, The certificate is trusted.

;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(CHACHA20-POLY1305)

;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5684

;; Flags: qr rd ra; QUERY: 1; ANSWER: 5; AUTHORITY: 0; ADDITIONAL: 0


;; QUESTION SECTION:

;; _dns.resolver.arpa. IN SVCB


;; ANSWER SECTION:

_dns.resolver.arpa. 10 IN SVCB 1 dns1.REDACTED.domain.tld. alpn="dot" port=853 ipv4hint=192.168.7.53 ipv6hint=fdfe:ee82:778b:7::53

_dns.resolver.arpa. 10 IN SVCB 1 dns1.REDACTED.domain.tld. alpn="doq" port=853 ipv4hint=192.168.7.53 ipv6hint=fdfe:ee82:778b:7::53

_dns.resolver.arpa. 10 IN SVCB 1 dns2.REDACTED.domain.tld. alpn="h2" port=443 ipv4hint=192.168.8.53 ipv6hint=fdfe:ee82:778b:8::53 dohpath="/dns-query{?dns}"

_dns.resolver.arpa. 10 IN SVCB 1 dns2.REDACTED.domain.tld. alpn="dot" port=853 ipv4hint=192.168.8.53 ipv6hint=fdfe:ee82:778b:8::53

_dns.resolver.arpa. 10 IN SVCB 1 dns2.REDACTED.domain.tld. alpn="doq" port=853 ipv4hint=192.168.8.53 ipv6hint=fdfe:ee82:778b:8::53


;; Received 485 B

;; Time 2025-05-16 06:36:44 UTC

;; From fdfe:ee82:778b:7::53@853(TLS) in 22.1 ms

```


So why do Apple devices on my network still show that my network is blocking encrypted DNS? Most other devices on my network (primarily Linux and Android) already have discovered the encrypted servers, and use those instead.


Please don't direct me towards Apple's recommended router settings (Recommended settings for Wi-Fi routers and access points - Apple Support), I have already gone through that, it does not help even a little bit. And yes, my MAC addresses are already set to rotate, so Use private Wi-Fi addresses on Apple devices – Apple Support (AU) does not apply either.


Posted on May 15, 2025 11:58 PM

Reply

Similar questions

2 replies

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

iOS 18.5 shows that my networking is blocking encrypted DNS, while it's not

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up