WWDC Apple this year will boldly go where its peers have gone before by implementing support for encrypted DNS in iOS and macOS.
"Starting this year, Apple platforms natively support encrypted DNS," said Tommy Pauly, internet technologies engineer, in a video presentation for Apple's 2020 Worldwide Developer Conference, virtualized this year by necessity.
More specifically, macOS 11, iOS 14, and Mac Catalyst framework 14 (for Mac version of iPad apps) will support DNS-over-TLS (DoT) and DNS-over-HTTPS (DoH). These Apple operating system updates are scheduled for release later this year, likely in September or October.
When you visit a website with a browser, or connect to a service via an app, the software will, typically, in the background send domain-name system (DNS) queries to DNS servers, such as ones provided by your ISP, to translate domain names, like theregister.com, into network IP addresses the programs can use. These queries are typically sent unencrypted, meaning eavesdroppers on the network path can snoop on the names of sites and services you're using, and modify the query results to redirect you to malicious websites.
Encrypted DNS, as its name suggests, encrypts those queries to shield them from snoops and meddlers.
DoT started taking shape in 2014. A proposal to establish DoH as a standard was drafted in 2017. And a year later, a research paper presented at a Usenix conference underscored the need for better security when it reported that about 8.5 per cent of DNS queries were intercepted by service providers.
Around that time, with standards in place, internet companies got serious about encrypting DNS queries, and people had arguments about how DoH disempowers network administrators and let people flout filters put in place to protect them from smut and illegal content.
Google began testing DoH last year and just implemented it in Chrome 83 recently. Microsoft talked about secure DNS last year and is now testing it for Windows. Even Comcast joined the party this week with Firefox.
Which brings us back to Apple.
Apple's updated code will allow those offering DNS services, and enterprise organizations administering corporate software via Mobile Device Management, to create apps for configuring DNS settings so they use an encrypted transport.
For example, a service provider like Cloudflare could create a network extension app using the
NEDNSSettings class to switch a device to use DoT/DoH systemwide using Cloudflare's resolvers. Organizations using MDM will be able to do so by applying a Profile to managed devices.
Developers will also be able to create individual apps that allow users to choose to make app-specific connections over encrypted DNS using the
NWParameters.PrivacyContext object and standard networking APIs.
As demonstrated in the video, an iOS app implementing encrypted DNS can be activated via Settings -> General -> VPN & Network (a menu called simply "VPN" on current iOS 13 systems).
Better fashionably late than never. ®