Apple with iOS 14 pokes a hole in DNS filtering with query type 65

Hi!

I use an external DNS services like Cloudflare Family Filter and Cleanbrowsing Adult Filter for filtering out adult content. One of it’s great features is that it enforces Safe Search mode for Google, Bing and such. It has been working great on ALL my devices until I recently upgraded my iPhones to iOS 14. The other devices and computers are correctly enforcing Safe Search, but iPhones with iOS 14 have issues concerning this, especially regarding www.bing.com

For example: when a device or a computer lookup www.bing.com, CloudFlare Family Filter and Cleanbrowsing Adult Filter return strict.bing.com. This is the normal case on my local network until iOS 14 entered the building.

To test the issue at hand, you can search for the word “sex” and it should return nothing. If it does, iOS 14 is circumventing your DNS policies and rules, and also circumventing Cloudflare and Cleanbrowsing.

After looking into different scenarios, like problems with Cloudflare or Cleanbrowsing, I started to look at the DNS log files and saw the following:

dnsmasq[####]: 192.168.1.### query[type=65] www2.bing.com from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2.bing.com to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### forwarded www2.bing.com to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### query[A] www2.bing.com from 192.168.1.###
dnsmasq[####]: 192.168.1.### cached www2.bing.com is 204.79.197.220
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### query[type=65] www2-bing-com.dual-a-0001.a-msedge.net from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2-bing-com.dual-a-0001.a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### query[A] www2-bing-com.dual-a-0001.a-msedge.net from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2-bing-com.dual-a-0001.a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### dnssec-query[DS] a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### reply a-msedge.net is no DS
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### reply www2-bing-com.dual-a-0001.a-msedge.net is <CNAME>
dnsmasq[####]: 192.168.1.### reply dual-a-0001.a-msedge.net is 13.107.21.200  #UNRESTRICTED
dnsmasq[####]: 192.168.1.### reply dual-a-0001.a-msedge.net is 204.79.197.200 #UNRESTRICTED

Hm… what is going on here? Eureka! Apple is sending DNS queries with type set to 65, which is returning the unrestricted version of www.bing.com.

Query Type 65 is:

HTTPS Binding: RR that improves performance for clients that need to resolve many resources to access a domain. More info in this IETF Draft by DNSOP Working group and Akamai technologies.

So when the iPhone looks up www.bing.com with the query type set to 65 it is forwarded to Cleanbrowsing and Cloudflare which are also sending it forward, totally bypassing their filters.

@anb usually keeps an eye on stuff like this, but this certainly sounds new.

Thanks for the report, we are tracking this issue internally.

Thanks a lot for the feedback, really appreciate that. Meanwhile I have patched the dnsmasq source so it returns “NODATA” for this type of query. Not the best option, but for time being, strict.bing.com works just fine on all your devices.

I use Cloudflare Teams Gateway as my DNS firewall and I noticed this same problem with macOS 11 Big Sur. It can bypass my DNS filters with DNS RR type 65 queries. This can happen especially on domains that are hosted on Cloudflare as their authoritative DNS servers do answer to HTTPSSVC (type 65) queries. Cloudflare Gateway DNS firewall should filter HTTPSSVC queries or otherwise an obsolete product.

Hi guys! While waiting for the industry to adapt to what Apple has brought to the table, I have developed a simple patch for you ppl running dnsmasq. I am serious about this, I got inspired by a previous patch developed by a another github:er that filtered IPv6. You have to download the dnsmasq source files first (2.82 version) and den run the patch on it. Here is the patch: https://pastebin.com/w6Mt4ZRR

The patch will mainly add 2 filters to dnsmasq of which one is:

filter-https

Add that to your /etc/dnsmasq.conf and you good to go! There is also a “filter-aaaa” which blocks IPv6 queries for other nerds out there.

Important: review the patch before applying it. If you can’t understand the code, don’t apply it!

Cheers fellow DNS:ers!

@NordicMember This link has since expired. Are you able to upload it again?

Cheers!

type 65 queries are now blocked by Family/ Gateway.

@cscharff I know it’s off-topic for this forum, but I’m specifically trying to block the type 65 queries at the local level because of some internal network issues. @NordicMember’s post seem the closest to a quick work-around solution until I can patch network infra

Here is the patch: dnsmasq-2.82-filter-aaaa+https+unknown.patch - Pastebin.com (link active 1 month)

This patch adds the following configuration options:

filter-aaaa: filter all ipv6 queries
filter-https: filter all https / query type 65
filter-unknown: filter all unknown query types (except https)

Further changes as well:

increase ttl-floor-limit to 604800 (--min-cache-ttl)
increase dnssec-min-ttl to 3600 (DNSKEY and DS records in cache last at least this long)
conntrack
dnssec
no dumpfile
no dhcp6

Apply patch

git clone git://thekelleys.org.uk/dnsmasq.git (version 2.82)

cd dnsmasq

git apply dnsmasq-2.82-filter-aaaa+https+unknown.patch

make

cp src/dnsmaq to your server

Add following options to your dnsmasq.conf:
    filter-aaaa
    filter-https
    filter-unknown

Enjoy the silence!

Excellent work thanks. Would you please consider posting the patch on GitHub Gist so it can be updated directly with change history, doesn’t expire, and can be forked?

Here is the repository: GitHub - rozahp/dnsmasq: Dnsmasq patch with options for filtering IPv6, HTTPS-query and unknown query types.
Please fork and edit the code yourself. Thanks!