Later this year, Apple’s iPhone, iPad, and Mac range will ALL support DNS-over-HTTPS and DNS-over-TLS support, thanks to iOS 14 and macOS 11
Security is a big deal these days. With ongoing debates about the possibility of the US government getting a backdoor into platforms like iOS and Android, moves to add in increased layers of protection to users are always welcome.
In 2020, with the release of iOS 14 and macOS 14, Apple will introduce DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT) support to its product range, including iPhone, iPad, and its Mac lineup of machines. And this is a huge boon for those concerned about security issues.
What The Heck is a DNS?
DNS stands for Domain Name System (DNS). You can think of it as the internet’s address book. Whenever you visit a site online, like KYM, the browser you’re using contacts a DNS resolver for the IP address of the site – an IP address is like a digital coordinate.
This IP address then tells the browser where to go, taking you to the site in question. However, most of these queries are done in an unprotected manner which means they can, in some cases, be intercepted – and that’s not good. When the DNS is encrypted, the end-user has more protection from hackers and scammers.
And this is why DNS encryption is so important. Inside iOS 14 and macOS 11, Apple will bring both DNS-over-HTTPS and DNS-over-TLS to its products. This is a good thing. Now, let’s take a look at what these two protocols actually mean…
Defining DoH and DoT…
Here’s a brief explanation of DNS-over-HTTPS (DoH) and DNS-over-TLS (DoT):
- DNS-over-HTTPS (DoH): DNS over HTTPS is more secure than the traditional DNS because it’s using a secure, encrypted connection. Using DNS over HTTPS means that your ISP — and any of the other “hands” that we mentioned earlier — won’t be able to see certain aspects of the DNS lookup process because they’ll be encrypted – source
- DNS-over-TLS (DoT): DNS over TLS (DoT) is a security protocol for encrypting and wrapping Domain Name System (DNS) queries and answers via the Transport Layer Security (TLS) protocol. The goal of the method is to increase user privacy and security by preventing eavesdropping and manipulation of DNS data via man-in-the-middle attacks – source
Encrypted DNS and iPhone Apps
With this update, Apple developers will be able to update (or create new apps) that use either DoT or DoH to encrypt DNS traffic. This will make the apps more secure, provides better protection to the end-user, and help reduce the amount of “tracking” that can be done on the end-user.
How will this work in practice? Tommy Pauly, Internet Technologies Engineer at Apple, outlined a couple of scenarios during an event at Apple earlier this week.
“The first way is to use a single [encrypted] DNS server as the default resolver for all apps on the system. If you provide a public [encrypted] DNS server, you can now write a network extension app that configures the system to use your server. Or, if you use Mobile Device Management to configure enterprise settings on devices, you can push down a profile to configure encrypted DNS settings for your networks,” said Pauly.
He added: “The second way to enable encrypted DNS is to opt-in directly from an app. If you want your app to use encrypted DNS, even if the rest of the system isn’t yet, you can select a specific server to use for some or all of your app’s connections.”
On top of this, Apple’s DoH and DoT will also be context-aware; it will know when you’re using a VPN, for instance, and will act accordingly and not override the settings of your app. This is seriously cool, leaving options open for IT departments as well as popular VPN apps like SurfShark.