I use an external DNS services like Cloudflare Family Filter and Cleanbrowsing Adult Filter for filtering out adult content. One of it’s great features is that it enforces Safe Search mode for Google, Bing and such. It has been working great on ALL my devices until I recently upgraded my iPhones to iOS 14. The other devices and computers are correctly enforcing Safe Search, but iPhones with iOS 14 have issues concerning this, especially regarding www.bing.com
For example: when a device or a computer lookup www.bing.com, Cloudflare Family Filter and Cleanbrowsing Adult Filter return strict.bing.com. This is the normal case on my local network until iOS 14 entered the building.
To test the issue at hand, you can search for the word “sex” and it should return nothing. If it does, iOS 14 is circumventing your DNS policies and rules, and also circumventing Cloudflare and Cleanbrowsing.
After looking into different scenarios, like problems with Cloudflare or Cleanbrowsing, I started to look at the DNS log files and saw the following:
dnsmasq[####]: 192.168.1.### query[type=65] www2.bing.com from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2.bing.com to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### forwarded www2.bing.com to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### query[A] www2.bing.com from 192.168.1.###
dnsmasq[####]: 192.168.1.### cached www2.bing.com is 204.79.197.220
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### query[type=65] www2-bing-com.dual-a-0001.a-msedge.net from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2-bing-com.dual-a-0001.a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### query[A] www2-bing-com.dual-a-0001.a-msedge.net from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2-bing-com.dual-a-0001.a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### dnssec-query[DS] a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### reply a-msedge.net is no DS
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### reply www2-bing-com.dual-a-0001.a-msedge.net is <CNAME>
dnsmasq[####]: 192.168.1.### reply dual-a-0001.a-msedge.net is 13.107.21.200 #UNRESTRICTED
dnsmasq[####]: 192.168.1.### reply dual-a-0001.a-msedge.net is 204.79.197.200 #UNRESTRICTED
Hm… what is going on here? Eureka! Apple is sending DNS queries with type set to 65, which is returning the unrestricted version of www.bing.com.
Query Type 65 is:
HTTPS Binding: RR that improves performance for clients that need to resolve many resources to access a domain. More info in this IETF Draft by DNSOP Working group and Akamai technologies.
So when the iPhone looks up www.bing.com with the query type set to 65 it is forwarded to Cleanbrowsing and Cloudflare which are also sending it forward, totally bypassing their filters.
Thanks a lot for the feedback, really appreciate that. Meanwhile I have patched the dnsmasq source so it returns “NODATA” for this type of query. Not the best option, but for time being, strict.bing.com works just fine on all your devices.
I use Cloudflare Teams Gateway as my DNS firewall and I noticed this same problem with macOS 11 Big Sur. It can bypass my DNS filters with DNS RR type 65 queries. This can happen especially on domains that are hosted on Cloudflare as their authoritative DNS servers do answer to HTTPSSVC (type 65) queries. Cloudflare Gateway DNS firewall should filter HTTPSSVC queries or otherwise an obsolete product.
Hi guys! While waiting for the industry to adapt to what Apple has brought to the table, I have developed a simple patch for you ppl running dnsmasq. I am serious about this, I got inspired by a previous patch developed by a another github:er that filtered IPv6. You have to download the dnsmasq source files first (2.82 version) and den run the patch on it. Here is the patch: https://pastebin.com/w6Mt4ZRR
The patch will mainly add 2 filters to dnsmasq of which one is:
filter-https
Add that to your /etc/dnsmasq.conf and you good to go! There is also a “filter-aaaa” which blocks IPv6 queries for other nerds out there.
Important: review the patch before applying it. If you can’t understand the code, don’t apply it!
@cs-cf I know it’s off-topic for this forum, but I’m specifically trying to block the type 65 queries at the local level because of some internal network issues. @NordicMember’s post seem the closest to a quick work-around solution until I can patch network infra
This patch adds the following configuration options:
filter-aaaa: filter all ipv6 queries
filter-https: filter all https / query type 65
filter-unknown: filter all unknown query types (except https)
Further changes as well:
increase ttl-floor-limit to 604800 (--min-cache-ttl)
increase dnssec-min-ttl to 3600 (DNSKEY and DS records in cache last at least this long)
conntrack
dnssec
no dumpfile
no dhcp6
Apply patch
git clone git://thekelleys.org.uk/dnsmasq.git (version 2.82)
cd dnsmasq
git apply dnsmasq-2.82-filter-aaaa+https+unknown.patch
make
cp src/dnsmaq to your server
Add following options to your dnsmasq.conf:
filter-aaaa
filter-https
filter-unknown
Enjoy the silence!
Excellent work thanks. Would you please consider posting the patch on GitHub Gist so it can be updated directly with change history, doesn’t expire, and can be forked?