Apple Adds Support For Encrypted DNS (DoH And DoT)

In a presentation at its developer conference this week, Apple announced that the upcoming versions of its iOS and macOS operating systems will support the ability to handle encrypted DNS communications.

Apple said that iOS 14 and macOS 11, set to be released this fall, will support both the DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) protocols.

Normal DNS (Domain Name System) traffic takes place in clear text and has been used by internet service providers and others to track users in the past, usually to create profiles to sell to online advertisers.

But DoH and DoT allow a desktop, phone, or individual app to make DNS queries and receive DNS responses in an encrypted format, a feature that prevents third-parties and malicious threat actors from tracking a user's DNS queries and inferring the target's web traffic destinations and patterns.

See here for the differences between the two protocols.

To improve the privacy of iOS and macOS users, Apple says it plans to add new functions and features to its app development frameworks.

These new functions will allow developers to create or update their existing apps and use either DoH or DoT to encrypt DNS traffic.

DoH/DoT settings can be applied selectively

Apple says developers can create apps to apply DoH/DoT settings for the entire operating system (via network extension apps or MDM profiles), to individual apps, or to an app's selected network requests.

"There are two ways in which encrypted DNS can be enabled," Tommy Pauly, Internet Technologies Engineer at Apple, said in a talk on Wednesday.

"The first way is to use a single [encrypted] DNS server as the default resolver for all apps on the system. If you provide a public [encrypted] DNS server, you can now write a network extension app that configures the system to use your server. Or, if you use Mobile Device Management to configure enterprise settings on devices, you can push down a profile to configure encrypted DNS settings for your networks," Pauly said.

"The second way to enable encrypted DNS is to opt-in directly from an app. If you want your app to use encrypted DNS, even if the rest of the system isn't yet, you can select a specific server to use for some or all of your app's connections," Pauly added.

Furthermore, Apple's DoH and DoT implementations will also be context-aware. For example, if a user has a VPN app installed, or is part of a captive (corporate) network, the DoH/DoT server won't override the DNS settings provided by the aforementioned.

In addition, developers can also write "rules" to enable support for encrypted DNS communications only in certain situations or contexts, such as when the user is using his mobile data network, a specific WiFi network the user hasn't trusted, or for certain types of apps.

And in case a network provider is blocking encrypted DNS communications on their network, Apple also plans to warn users so they can take other actions to preserve their privacy.

Apple now joins the likes of Mozilla, Google, and Microsoft, all of whom have announced support for encrypted DNS communications in their respective products -- Firefox, Chrome, Edge & Windows 10.