Apple announced that iOS 14 and macOS Big Sur will support encrypted DNS communication at a developer conference. Unencrypted DNS communication takes place using plain text and anyone in your WiFi network or even ISP can snoop on your web traffic. In other words, anyone between your device and resolver will be able to intercept DNS queries in Normal DNS.
There are two mechanisms for encrypting DNS queries, DNS-over-HTTPS (DOH) and DNS-over-TLS (DoT). Both the mechanisms support DNS encryption for a phone, desktop, and even individual apps. Since the queries are encrypted, third parties will not be able to track and intercept.
Apple says it is implementing DNS encryption to improve the privacy on iOS and macOS. Furthermore, developers will be given a choice between DoH or DoT implementation on their apps. Most importantly, each app can have its own DNS encryption protocol which might differ from the system-wide DNS setting.
The first way is to use a single [encrypted] DNS server as the default resolver for all apps on the system. If you provide a public [encrypted] DNS server, you can now write a network extension app that configures the system to use your server. Or, if you use Mobile Device Management to configure enterprise settings on devices, you can push down a profile to configure encrypted DNS settings for your networks- Tommy Pauly, Internet Technologies Engineer at Apple.
Alternately, DNS can also be enabled within the app. In other words, users will be able to opt-in for DNS encryption service on apps even if the rest of the system is not using encrypted DNS. Users can select specific servers to configure app connections.
Apple’s DoH and DoT are perfectly capable of handling certain network configurations. For instance, the DoH/DoT protocol can detect if a VPN is being used and thus will not override the default DNS settings. Apple has worked on giving greater control for developers. They can choose to enable encrypted DNS in certain situations. For example, DNS encryption can be set to activate when mobile data is being used or for apps of certain categories.
Since the last two decades or so DNS data has largely been unencrypted. Others on your network could snoop on your network packet. This meant data like source IP address and destination IP address could be leaked. The payload can further be parsed in terms of DNS answer which reveals the destination site. The bottom line, DNS encryption will vastly improve privacy on iOS/macOS Big Sur and will put an end to DNS hijacking.
What do you think of the new DNS encryption feature on iOS 14 and macOS Big Sur? Share your thoughts below.[via ZDNet]