immediately, when you visit a web site, it ’ s not merely the typical DNS
Ahost-to-ip-address record that ’ second consulted, but a brand-new
HTTPSDNS record is checked excessively. It ’ s not merely a name entry ; it ’ s a brand-new record type ( # 65 ), to go along with the more familiar
HTTPSDNS records can indicate that the locate supports HTTPS, including protocol versions and IP addresses. That way, typing in a bare domain name gives the
https://interpretation of the web site proper off, possibly even on HTTP/2 or HTTP/3, skipping the antique HTTP redirect. There ’ south evening a gulp option for sphere operators to tell your computer to bypass any local DNS settings and use a specific server for all future DNS queries involving their domain .
There are many pro-performance intentions here, and some pro-privacy ones besides.
But there is a fatal privacy and security defect in both the specification and execution : it removes the ability for users to override domain name lookups in
/etc/hosts, even when faced with actively malicious domain name operators .
To see how this is working in action :
- The translation of
digthat comes with macOS doesn ’ t directly support these fresh records, but you can see whether they exist with
$ dig -t type65 www.politico.com … ;; QUESTION SECTION: ;www.politico.com. IN TYPE65 ;; ANSWER SECTION: www.politico.com. 53806 IN CNAME www.politico.com.cdn.cloudflare.net. www.politico.com.cdn.cloudflare.net. 300 IN TYPE65 \# 58 0001000001000302683200040008681210CA681211CA000600202606 47000000000000000000681210CA2606470000000000000000006812 11CA …
- I don ’ deoxythymidine monophosphate know how to parse that, but wireshark does if I packet-capture it
Domain Name System (response) Queries www.politico.com.cdn.cloudflare.net: type HTTPS, class IN Answers www.politico.com.cdn.cloudflare.net: type HTTPS, class IN Name: www.politico.com.cdn.cloudflare.net Type: HTTPS (HTTPS Specific Service Endpoints) (65) Class: IN (0x0001) Time to live: 300 (5 minutes) Data length: 58 SvcPriority: 1 TargetName:
SvcParams SvcParam: ALPN SvcParamKey: ALPN (1) SvcParamValue length: 3 ALPN length: 2 ALPN: h2 SvcParam: IPv4 Hint SvcParamKey: IPv4 Hint (4) SvcParamValue length: 8 IP: 220.127.116.11 IP: 18.104.22.168 SvcParam: IPv6 Hint SvcParamKey: IPv6 Hint (6) SvcParamValue length: 32 IP: 2606:4700::6812:10ca IP: 2606:4700::6812:11ca
indeed that ’ s what ’ s happening :
- Safari on Big Sur can load some websites you’ve blocked in
/etc/hosts, because it gets their IP addresses from these new
- It can only do that for some sites, because most domain name operators haven’t set this up yet. It looks like Cloudflare has done this for everyone on their platform; fortunately most domain name operators, including the advertising/tracking/malware giants, haven’t caught on to this yet.
For now, you can keep using
/etc/hosts for sphere names that you amply control .
In the interim, for other domains, you have some options :
- you could run a local DNS server or firewall on your home network that blocks these requests
- you could configure a local DNS resolver daemon on your mac, and use it to
block these requests
- you could switch to a Linux distribution where a configurable local resolver daemon is the default
- you could stop using Safari, although other apps using the default macOS networking stack may continue silently bypassing
Chrome has run some trials for this but does not appear to have implemented it even. Firefox has started implementing it but doesn ’ thymine seem to have gotten besides far .