macOS 11 added documentation for what is formally called “ Service constipate and argument specification via the DNS ( DNS SVCB and HTTPSSV ) ” .
now, when you visit a web site, it ’ s not just the distinctive DNS A host-to-ip-address record that ’ s consulted, but a brand-new HTTPS DNS phonograph record is checked excessively. It ’ s not equitable a name entry ; it ’ s a brand-new record type ( # 65 ), to go along with the more familiar A and CNAME and MX .
These fresh HTTPS DNS records can indicate that the web site supports HTTPS, including protocol versions and IP addresses. That way, typing in a bare sphere name gives the https:// adaptation of the web site right away, possibly even on HTTP/2 or HTTP/3, skipping the antique HTTP redirect. There ’ south even a draft choice for sphere operators to tell your calculator to bypass any local DNS settings and use a specific server for all future DNS queries involving their knowledge domain .
There are many pro-performance intentions here, and some pro-privacy ones besides.

But there is a fatal privacy and security flaw in both the stipulation and execution : it removes the ability for users to override domain name lookups in /etc/hosts, even when faced with actively malicious domain name operators .
To see how this is working in action :

  • The version of dig that comes with macOS doesn ’ t directly support these newly records, but you can see whether they exist with
    $ dig -t type65
    ;      IN  TYPE65
    ;; ANSWER SECTION:   53806   IN  CNAME 300 IN TYPE65 \# 58 0001000001000302683200040008681210CA681211CA000600202606 47000000000000000000681210CA2606470000000000000000006812 11CA
  • I don ’ thymine know how to parse that, but wireshark does if I packet-capture it
    Domain Name System (response)
   type HTTPS, class IN
   type HTTPS, class IN
                Type: HTTPS (HTTPS Specific Service Endpoints) (65)
                Class: IN (0x0001)
                Time to live: 300 (5 minutes)
                Data length: 58
                SvcPriority: 1
                    SvcParam: ALPN
                        SvcParamKey: ALPN (1)
                        SvcParamValue length: 3
                        ALPN length: 2
                        ALPN: h2
                    SvcParam: IPv4 Hint
                        SvcParamKey: IPv4 Hint (4)
                        SvcParamValue length: 8
                    SvcParam: IPv6 Hint
                        SvcParamKey: IPv6 Hint (6)
                        SvcParamValue length: 32
                        IP: 2606:4700::6812:10ca
                        IP: 2606:4700::6812:11ca

indeed that ’ s what ’ s happening :

  1. Safari on Big Sur can load some websites you’ve blocked in /etc/hosts, because it gets their IP addresses from these new HTTPS records
  2. It can only do that for some sites, because most domain name operators haven’t set this up yet. It looks like Cloudflare has done this for everyone on their platform; fortunately most domain name operators, including the advertising/tracking/malware giants, haven’t caught on to this yet.

For now, you can keep using /etc/hosts for knowledge domain names that you amply control .
In the meanwhile, for early domains, you have some options :

  • you could run a local DNS server or firewall on your home network that blocks these requests
  • you could configure a local DNS resolver daemon on your mac, and use it to
    block these requests
  • you could switch to a Linux distribution where a configurable local resolver daemon is the default
  • you could stop using Safari, although other apps using the default macOS networking stack may continue silently bypassing /etc/hosts

Chrome has run some trials for this but does not appear to have implemented it yet. Firefox has started implementing it but doesn ’ deoxythymidine monophosphate seem to have gotten excessively far .

informant :
Category : Website hosting

Leave a Reply

Your email address will not be published.