Encrypted DNS: A Double Edged Sword

I upgraded to iOS 14 and now my LAN’s DNS based ad blocking is less effective.


Inspired by Blokada, I’ve been running DNS based ad and tracker blocking on my home router. This has been pretty effective.

I have my phone configured so that if I am away from my local WiFi network it will automatically connect to my home via VPN. In addition to giving me privacy when connected to the WiFi at the local coffee shop, it means I am using my home DNS server with its ad and tracker blocking. Yep. I am still cheap frugal and try to save from spending money on mobile data by using public WiFi.

The iOS app ecosystem is heavily ad based. Where possible, I have been using open source apps (find them on places like GitHub then look for the app in the iOS app store). But they are few and far between. It is either buy the app or have an ad supported app (or in a few cases buy the app but still be subject to ads).

I have no objections to paying for someone’s work. But I don’t want to buy a bunch of apps that purport to do the same thing just to find the one that I like best.

It seems most app review sites are simply rehashes of the descriptions found on the iOS app store so they are of no use. I suspect they are simply click bait.

The concept of a trial period doesn’t seem to exist for many app creators. So downloading and trying a bunch of apps will cost you more than just the price of the app you finally decide to keep.

Having a reasonable ad blocker let me avoid some work: Just use the ad based app without the ads. Until now.

iOS 14 Broke My Ad blocking

On some apps my ad blocking is no longer effective with the upgrade to iOS 14. I am not entirely sure what the reason is for this and my investigation is continuing.

As mentioned above, I am not adverse to paying for an app if it suits my needs. So my first step was to try to upgrade the couple of offending apps from ad based to a paid version. But I found this was not option for two of them.

So my second step was to try to find alternative apps that were or could be made ad free. But I wasn’t able to. Come on guys, if you have a paid app allow for a short free evaluation period!

Initial Investigation

Checking My DNS Logs

I actually hadn’t bothered to look at the DNS queries being handled by my router. I’d found that Energized Blu list of domains to block did what I wanted. Since it worked I didn’t bother with the effort of looking at the details. But no longer.

I enabled DNS logging on the router and was appalled by the number of ad and tracker looking DNS queries that were not being blocked. A simple off line shopping list app was looking up three different analytics domains and two ad domains. A “offline” Sudoku game app was looking up over 100 domains. And most of them were not being blocked by the Energized Blu domain list.

Updating my local block list got the shopping app behaving better but not the Sudoku app. Time to do some reading.

iOS 14 And DNS

Apple has introduced native DNS over TLS (DoT) and DNS over HTTPS (DoH) in iOS 14. In general, this is considered a good thing. And you can enable it on the whole phone if you like. Or you can set up and deploy a configuration for it to your phone. This is, I think, similar to what I currently do for setting up the phone for my VPN: I have created a .mobileconfig file with the VPN information and simply put it on the phone.

Not much need for DoT or DoH for any app or device at my home or on my VPN: My home router uses DoT when resolving requests. So it doesn’t matter to me if a device or app uses old fashioned DNS, my router will handle the request and the outside world (i.e. my cable Internet provider) won’t see anything as it will be TLS by the time it leaves my house.

Initial Suspicions

I suspect that there were some app updates that coincided with the iOS upgrade and those app updates meant the apps were accessing domains not blocked by Energized Blu.

I am certainly seeing DNS requests from the phone when those apps are running which implies they are not using DoH. But blocking the domains the apps are using is not 100% effective: They seem to be accessing some things unseen by my DNS server.

Maybe a library they are using has been upgraded to use DoH. That would account for some DNS lookups being invisible to my router. And for the onset of ads to be simultaneous with the operating system upgrade.

The Double Edged Sword

In looking into what Apple was doing different in iOS 14 that might affect my DNS based ad and tracker blocking I came across a video where the capabilities were described: An app developer can now create a “DNS security context” for their app or for any given set of Internet connections their app sets up.

I think DoT can be blocked as it has a dedicated port but DoH could be a bit harder to block.

The problem with this from my point of view is that an app can use DoH to bypass my DNS server. And, for that matter, a library (Facebook, Google analytics, etc.) used by the app developer can also use DoH which will make blocking trackers much harder.

I think by giving app and app library developers the ability to use their own specified DoH server Apple has actually reduced the privacy and security of the end user. It will make blocking trackers harder. After all, you can’t block all HTTPS connections. And, at least with home consumer grade routers, you can’t do deep packet inspections to the level needed to detect a DoH request from a web page request.

A Possible Mitigation

I believe DoH relies on a normal DNS query to get the address of the DoH server. It may be possible to block the DoH server’s domain which would then block the app from using DoH. I will need to see if that breaks things horribly or simply causes the phone and app to revert to using old fashioned DNS.