Breaking Down Apple's Shift to Encrypted DNS

Apple recently announced plans to support encrypted DNS communications across iOS and macOS devices this fall, signaling a big win for fans of privacy and security. 

“Awesome! But what the heck are encrypted DNS communications?”

Glad you asked, friend. We’ll do our best to break this down for you in words you may understand.

DNS stands for Domain Name System, often described as the phonebook of the internet. A phonebook is a giant… sorry, kids, no time to explain. 

Now, when you access a website on the internet, you often type the domain name, like beaconcloudsolutions.com. But web browsers communicate in Internet Protocol (IP) addresses, a sometimes complicated string of letters and numbers that can look something like this:

2400:cb00:2048:1::c629:d7a2 (in IPv6). 

Try memorizing that. Go ahead. We’ll wait. 

In essence, IP addresses are computer-friendly language, while domain names are people-friendly language. A DNS server takes people-friendly language and converts it into computer-friendly language, relieving you of any of the complex burden you might otherwise endure just to access photos of your friend’s dog on Facebook. 

If you type a domain name into your web browser, you are asking a DNS server to locate its IP address. If successful, the DNS server identifies the relationship between the domain name and an IP address and you access the webpage without a hitch. 

Still with me? Good.

Herein lies the problem: A lot of your interactions with a DNS server take place in plain language over an unencrypted transport. 

This means that other devices (i.e. other people) on your network have the ability to view what domain names you’re entering into your web browser. That could include your internet service provider. Apple also says other devices could also interfere with the sort of results you get when entering a domain name. 

That may not be such a big issue if you happen to trust those within your network, particularly if that network exists within your home (even though the DNS request does leave your home at some point, exposing it to potential intrusion for that brief moment). But what if you’re not at home? OK, we know you’re home a lot right now, but what if you, hypothetically speaking, live in a pandemic-free world and you decide to brave the waters of public Wi-Fi? Suddenly that dude sitting two tables to your left may be more than just “eats tuna fish sandwich in public” guy — you may view him as a potential cyber threat. He may be tracking your internet usage. 

Or maybe he’s just, you know, catching up on email while he enjoys his sandwich. Perhaps he’s not a cyber threat as much as he is an odorous one.

RECENT POSTS

Apple wants you to feel safe so you can stop mean-mugging strangers at your local cafe. 

It wants to fix that with encrypted DNS — meaning, it wants to secure all of your interactions with a DNS server so that it becomes much, much harder for “eats tuna fish sandwich in public” guy or even “forgot her headphones at home but still listens to music in otherwise quiet spaces” lady to potentially monitor your browser history. Should you find yourself using public Wi-Fi that features a questionable DNS server, Apple says its upcoming operating systems will allow you to bypass the default DNS server and select one that you trust. 

Apple will notify its users whenever they are on a wireless network that is blocking encrypted DNS traffic, noting that “connections and apps will fail rather than compromise your privacy.” 

It’s worth noting that this isn’t necessarily anything new. Microsoft (Edge and Windows 10), Google (Chrome), and Mozilla (Firefox) all recently unveiled plans for encrypted DNS to boost user privacy. Apple is joining the movement, announcing plans for encrypted DNS over TLS (DoT) and DNS over HTTPS (DoH) in its upcoming operating systems for iPhones, iPads, and Mac computers. 

Now, before you decide to submit to the darkness that soon follows an avalanche of acronyms, just know that DoT and DoH are similar, but not identical methods of encrypting DNS communications. 

DoT is considered superior to some from a security perspective, allowing administrators to monitor and block malicious traffic. Those concerned with privacy may opt for DoH, which hides DNS communications within other HTTPS traffic. This reduces the amount of visibility network administrators have, but enhances overall user privacy.  

Naturally, Apple also says it will extend these new features to developers, allowing them to create new apps or update existing ones to include DoT or DoH for encryption. 

To recap: Apple is improving its platform in a big way, and its users should rejoice.

iOS 14 and macOS 11 are due out this fall.