Apple with iOS 14 pokes a hole in DNS filtering with query type 65

Forums Service Issues Networking, Routing, Technology Apple with iOS 14 pokes a hole in DNS filtering with query type 65

  • CleanBrowsingSweden
    November 25, 2020 at 6:13 pm

    Hi!

    I use an external DNS services like Cloudflare Family Filter and Cleanbrowsing Adult Filter for filtering out adult content. One of it’s great features is that it enforces Safe Search mode for Google, Bing and such. It has been working great on ALL my devices until I recently upgraded my iPhones to iOS 14. The other devices and computers are correctly enforcing Safe Search, but iPhones with iOS 14 have issues concerning this, especially regarding “www.bing.com”

    For example: when a device or a computer lookup “www.bing.com”, CloudFlare Family Filter and Cleanbrowsing Adult Filter return “strict.bing.com”. This is the normal case on my local network until iOS 14 entered the building.

    To test the issue at hand, you can search for the word “sex” and it should return nothing. If it does, iOS 14 is circumventing your DNS policies and rules, and also circumventing Cloudflare and Cleanbrowsing.

    After looking into different scenarios, like problems with Cloudflare or Cleanbrowsing, I started to look at the DNS log files and saw the following:

    dnsmasq[####]: 192.168.1.### query[type=65] www2.bing.com from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2.bing.com to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### forwarded www2.bing.com to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### query[A] www2.bing.com from 192.168.1.###
dnsmasq[####]: 192.168.1.### cached www2.bing.com is 204.79.197.220
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### query[type=65] www2-bing-com.dual-a-0001.a-msedge.net from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2-bing-com.dual-a-0001.a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### query[A] www2-bing-com.dual-a-0001.a-msedge.net from 192.168.1.###
dnsmasq[####]: 192.168.1.### forwarded www2-bing-com.dual-a-0001.a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### dnssec-query[DS] a-msedge.net to CLEANBROWSING-DNS
dnsmasq[####]: 192.168.1.### reply a-msedge.net is no DS
dnsmasq[####]: 192.168.1.### validation result is INSECURE
dnsmasq[####]: 192.168.1.### reply www2-bing-com.dual-a-0001.a-msedge.net is <CNAME>
dnsmasq[####]: 192.168.1.### reply dual-a-0001.a-msedge.net is 13.107.21.200  #UNRESTRICTED
dnsmasq[####]: 192.168.1.### reply dual-a-0001.a-msedge.net is 204.79.197.200 #UNRESTRICTED

    Hm… what is going on here? Eureka! Apple is sending DNS queries with type set to 65, which is returning the unrestricted version of “www.bing.com”.

    Query Type 65 is:

    HTTPS Binding: RR that improves performance for clients that
    need to resolve many resources to access a domain.
    More info in this IETF Draft by DNSOP Working
    group and Akamai technologies.

    So when the iPhone looks up “www.bing.com” with the query type set to 65 it is forwarded to Cleanbrowsing and Cloudflare which are also sending it forward, totally bypassing there filters.

Tagged: