Hi!
I use an external DNS services like Cloudflare Family Filter and Cleanbrowsing Adult Filter for filtering out adult content. One of it’s great features is that it enforces Safe Search mode for Google, Bing and such. It has been working great on ALL my devices until I recently upgraded my iPhones to iOS 14. The other devices and computers are correctly enforcing Safe Search, but iPhones with iOS 14 have issues concerning this, especially regarding www.bing.com
For example: when a device or a computer lookup www.bing.com
, CloudFlare Family Filter and Cleanbrowsing Adult Filter return strict.bing.com
. This is the normal case on my local network until iOS 14 entered the building.
To test the issue at hand, you can search for the word “sex” and it should return nothing. If it does, iOS 14 is circumventing your DNS policies and rules, and also circumventing Cloudflare and Cleanbrowsing.
After looking into different scenarios, like problems with Cloudflare or Cleanbrowsing, I started to look at the DNS log files and saw the following:
dnsmasq[####]: 192.168.1.### query[type=65] www2.bing.com from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2.bing.com to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### forwarded www2.bing.com to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### query[A] www2.bing.com from 192.168.1.###
dnsmasq[####]: 192.168.1.### cached www2.bing.com is 204.79.197.220
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### query[type=65] www2-bing-com.dual-a-0001.a-msedge.net from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2-bing-com.dual-a-0001.a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### query[A] www2-bing-com.dual-a-0001.a-msedge.net from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2-bing-com.dual-a-0001.a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### dnssec-query[DS] a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### reply a-msedge.net is no DS
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### reply www2-bing-com.dual-a-0001.a-msedge.net is <CNAME>
dnsmasq[####]: 192.168.1.### reply dual-a-0001.a-msedge.net is 13.107.21.200 #UNRESTRICTED
dnsmasq[####]: 192.168.1.### reply dual-a-0001.a-msedge.net is 204.79.197.200 #UNRESTRICTED
Hm… what is going on here? Eureka! Apple is sending DNS queries with type set to 65, which is returning the unrestricted version of www.bing.com
.
Query Type 65 is:
HTTPS Binding: RR that improves performance for clients that need to resolve many resources to access a domain. More info in this IETF Draft by DNSOP Working group and Akamai technologies.
So when the iPhone looks up www.bing.com
with the query type set to 65 it is forwarded to Cleanbrowsing and Cloudflare which are also sending it forward, totally bypassing their filters.