Last updated on March 9, 2021
In a presentation at its 2020 Apple Worldwide Developers Conference from June 22 to 26, 2020, Apple announced that the upcoming versions of its operating systems iOS and macOS will be able to handle encrypted DNS communication.
Apple explained that iOS 14 and macOS 11, due to be released this fall, will support both the DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) protocols.
Normal Domain Name System (DNS) traffic is in the clear and has been used in the past by Internet service providers and others to track users, usually creating profiles for sale to online advertisers.
But DoH and DoT allow a desktop, phone, or individual application to make DNS queries and receive DNS responses in an encrypted format. This feature prevents third parties and malicious threat actors from tracking a user’s DNS queries and inferring the destinations and patterns of web traffic of the target.
To improve the privacy of iOS and macOS users, Apple says it plans to add new functions and features to its app development frameworks.
These new features will allow developers to build or upgrade their existing applications and use either DoH or DoT to encrypt DNS traffic.
Apple announced that developers can create apps to apply DoH / DoT settings for the entire operating system (via network extension apps or MDM profiles), to individual apps, or to selected network requirements of an app.
“There are two ways in which encrypted DNS can be activated,” said Tommy Pauly, Internet Technologies Engineer at Apple, in a presentation on Wednesday.
“The first is to use a single [encrypted] DNS server as the default resolver for all applications in the system. If you are deploying a public [encrypted] DNS server, you are now ready to write a network extension application that will configure the system to use your server. Or, if you use Mobile Device Management to configure company settings on devices, you can slide down a profile to configure encrypted DNS settings for your networks, ”says Pauly.
“The second way to enable encrypted DNS is to log in directly from an application. If you want your application to use encrypted DNS even when the rest of the system isn’t encrypted yet, you can choose a specific server to use for some or all of your application’s connections, ”Pauly added.
In addition, Apple’s DoH and DoT implementations will also be context sensitive. For example, if a user has a VPN application installed or is part of a corporate (corporate) network, the DoH / DoT server will not overwrite the DNS settings provided by the above.
In addition, developers can also write “rules” to enable support for encrypted DNS communications only in certain situations or contexts, e.g. if the user is using his mobile data network, a specific WiFi network that the user does not trust, or for used certain types of applications.
And in the event a network provider blocks encrypted DNS communications on their network, Apple also plans to warn users so they can take other measures to protect their privacy.
Apple is catching up with Mozilla , Google and Microsoft , all of whom have announced or already introduced support for encrypted DNS communication in their respective products – Firefox, Chrome and Android , Edge and Windows 10 .
