WWDC 2022: Improve DNS security for apps and servers

Why is DNS not secure?

DNS was not created with security in mind

Cache poisoning attack - DNS responders return malicious IP addresses to clients
=> DNS does not have authentication mechanisms to verify integrity of response

DNS sniffing attack - passive attacker can snoop on user's browsing sessions
=> DNS is not encrypted

DNSSEC provides authentication
Encrypted DNS provides privacy

DNSSEC

Already supported by some DNS service providers, but not as many clients

iOS 16 and macOS Ventura add client-side DNSSEC validation

DNSSEC adds digital signatures to ensure data integrity

NSEC records used to assert existence and nonexistence of records in a zone

To get DNSSEC support:

• Your domain must support IPv6
• Sign your domain with DNSSEC
• Use urlSessionConfiguration.requiresDNSSECValidation = true when creating URLSession

Encrypted DNS with DDR

DNSSEC verifies data integrity, but still vulnerable to privacy attacks by snooping on request/response DNS contents

iOS 14 and macOS Big Sur introduced encrypted DNS as opt-in

Now, iOS 16 and macOS Ventura will use encrypted DNS automatically if network supports Discovery of Designated Resolvers (DDR)

DDR is how DHCP and routers advertise that a given DNS resolvers supports encrypted DNS

Note that you can't use encrypted DNS if the DNS server has a private IP address, since private IP addresses aren't allowed in TLS certificates
For these use cases, use the DNSSettings profile to enable encrypted DNS for your private network