https://www.obdev.at/blog/warning-macos-sequoia-15-may-bypass-dns-encryption/ [ ] Products [lit]Little Snitch [lit]Little Snitch Mini [mic]Micro Snitch [lau]LaunchBar [iap]Internet Access Policy Viewer More Products Shop Support Blog [ ] Blog Overview Archive Menu Warning: macOS Sequoia 15 may bypass DNS encryption NorbertNorbert on Little Snitch, Security -- September 17, 2024 [nhi5-DNS] DNS Encryption 101 When you enter a hostname in your web browser (e.g., apple.com), that name must first be translated into an IP address so your computer can connect to the server. This lookup is usually performed unencrypted, meaning your Internet provider and other parties monitoring your connection can see which sites you visit. To protect these lookups from prying eyes, Little Snitch 6 offers a new feature: DNS encryption. With DNS encryption enabled, all name lookups are routed through Little Snitch and performed in encrypted form. For this purpose, Little Snitch registers a DNS proxy. macOS then sends all DNS requests to that proxy, which in turn performs the lookup in encrypted form. The key point here is that all requests must be routed through the proxy. But... While investigating a DNS-related issue on macOS 15 Sequoia, we discovered that some DNS requests--particularly those made via certain low-level legacy APIs--were not being received by our proxy! There appears to be a bug in macOS Sequoia causing some requests to bypass the installed DNS proxy and be sent unencrypted to the system's default name server instead. Note that this bug likely affects any kind of DNS proxy, not just Little Snitch. So, if you rely on the new DNS encryption feature of Little Snitch 6, or if you are using another third-party DNS proxy, be aware that some DNS lookups may bypass the proxy until Apple provides a fix in a future macOS update. Note: DNS lookups performed via higher-level APIs do not appear to be affected by this bug. For example, your web-browsing in Safari or Chrome still fully benefits from encrypted lookups. Firefox, on the other hand, does seem to be affected. How to Reproduce 1. Enable DNS encryption in Little Snitch > Settings. 2. Start Wireshark with a capture filter for port 53. 3. Run the following code in an Xcode playground: import Foundation let domain = "dnsproxytest.com" var result: UnsafeMutablePointer? let status = getaddrinfo(domain, nil, nil, & result) You will notice that the lookup for dnsproxytest.com can be seen in Wireshark in unencrypted form on UDP port 53 (the default for unencrypted lookups). Additionally, you will see that Little Snitch Network Monitor does not display any traffic for the lookup because the lookup completely bypasses the network filter! We have reported this bug to Apple and hope for a fix soon. Please stay tuned, we will keep you updated here. Update 2024-09-17, 7:10 p.m. After further investigation, we found that this bug has already existed at least since macOS 14.5 Sonoma (maybe even earlier, but we currently don't have access to an older 14.x system for testing). Little Snitch Features What's New Download Release Notes Upgrade Little Snitch Mini Features Compare Other Products LaunchBar Micro Snitch IAP Viewer Resources Internet Access Policy Blog Support Contact Us Lost License Resources Internet Access Policy Blog Support Contact Us Lost License Company About Us Press Privacy Policy Terms Little Snitch LaunchBar (c) 2024 Objective Development Software GmbH EnglishDeutsch