iOS 14 (Apple) DNS bits

Wed Sep 23 23:46:16 UTC 2020

*** Hopefully this is on-topic enough for the list…

Since iOS 14 has been released recently, folks have observed the changes to the network and DNS mechanics.  I wanted to get some feedback from folks here on this.  I have a small observation, and a slightly larger question:

Observation: iOS 14 now seems to send 3 queries (up from 2) for every “socket” connection to a name.  Whereas we’ve had A + AAAA for quite some time in many OS’es - on iOS 14 we now have A + AAAA + HTTPS (type 65).  I doubt this will be any burden on anyone, but I just wanted to point out that now many Apple devices will have 1.5x the previous query traffic coming from them.  I also wonder who is actually using HTTPS RR’s in their zones - I would assume Apple would be (soon at least) for their cloud and infra. services.  Alas, I don’t see anything in Wireshark, nor do I have a command line utility that understands the RRtype to test by hand...

Question: iOS 14 now flags networks that it believes are blocking encrypted DNS.  It puts a warning in Settings for the wifi.  For my home network this is expected.  I redirect 53 to my own firewall - as well as use some RPZ feeds - one of which aims to block/poison DOH/DOT attempts.  My question is how is it making this determination ?  I log the iptables redirects, and I also log RPZ hits out of bind.  I don’t see anything in my logs where my phone has tripped these.  I don’t currently block 853/tcp (but I likely will) - so it shouldn’t be making it’s determination off of that…  Does anyone *really* know how iOS 14 is testing this ?