WWDC 2022: Improve DNS security for apps and servers
Why is DNS not secure?
DNS was not created with security in mind
Cache poisoning attack - DNS responders return malicious IP addresses to clients
=> DNS does not have authentication mechanisms to verify integrity of response
DNS sniffing attack - passive attacker can snoop on user's browsing sessions
=> DNS is not encrypted
DNSSEC provides authentication
Encrypted DNS provides privacy
DNSSEC
Already supported by some DNS service providers, but not as many clients
iOS 16 and macOS Ventura add client-side DNSSEC validation
DNSSEC adds digital signatures to ensure data integrity
NSEC records used to assert existence and nonexistence of records in a zone
To get DNSSEC support:
- Your domain must support IPv6
- Sign your domain with DNSSEC
- Use
urlSessionConfiguration.requiresDNSSECValidation = true
when creatingURLSession
Encrypted DNS with DDR
DNSSEC verifies data integrity, but still vulnerable to privacy attacks by snooping on request/response DNS contents
iOS 14 and macOS Big Sur introduced encrypted DNS as opt-in
Now, iOS 16 and macOS Ventura will use encrypted DNS automatically if network supports Discovery of Designated Resolvers (DDR)
DDR is how DHCP and routers advertise that a given DNS resolvers supports encrypted DNS
Note that you can't use encrypted DNS if the DNS server has a private IP address, since private IP addresses aren't allowed in TLS certificates
For these use cases, use the DNSSettings profile to enable encrypted DNS for your private network