macOS 11 and iOS 14 bypasses Gateway DNS filters

I’ll link a post from another category:

HTTPSSVC (type 65) DNS queries are currently passing Gateway without filtering on Apple macOS 11 Big Sur and iOS 14 devices. Cloudflare authoritative DNS servers do reply to type 65 queries and makes possible to bypass Gateway on Cloudflare hosted domains.

If you’re a network admin and you want to avoid this then you should block DNS queries to all but Cloudflare Gateway DNS servers.

Here’s how Apple is most likely utilizing DNS record types 64 and 65:

Thanks @istenrot we’re actively working on updating Gateway to apply policies on HTTPS record types.

1 Like

I believe this should now be resolved.

1 Like