macOS 11 added support for what is officially called “ Service binding and argument stipulation via the DNS ( DNS SVCB and HTTPSSV ) ” .
immediately, when you visit a web site, it ’ s not merely the typical DNS A host-to-ip-address record that ’ second consulted, but a brand-new HTTPS DNS record is checked excessively. It ’ s not merely a name entry ; it ’ s a brand-new record type ( # 65 ), to go along with the more familiar A and CNAME and MX .
These new HTTPS DNS records can indicate that the locate supports HTTPS, including protocol versions and IP addresses. That way, typing in a bare domain name gives the https:// interpretation of the web site proper off, possibly even on HTTP/2 or HTTP/3, skipping the antique HTTP redirect. There ’ south evening a gulp option for sphere operators to tell your computer to bypass any local DNS settings and use a specific server for all future DNS queries involving their domain .
There are many pro-performance intentions here, and some pro-privacy ones besides.

But there is a fatal privacy and security defect in both the specification and execution : it removes the ability for users to override domain name lookups in /etc/hosts, even when faced with actively malicious domain name operators .
To see how this is working in action :

  • The translation of dig that comes with macOS doesn ’ t directly support these fresh records, but you can see whether they exist with
    $ dig -t type65
    ;      IN  TYPE65
    ;; ANSWER SECTION:   53806   IN  CNAME 300 IN TYPE65 \# 58 0001000001000302683200040008681210CA681211CA000600202606 47000000000000000000681210CA2606470000000000000000006812 11CA
  • I don ’ deoxythymidine monophosphate know how to parse that, but wireshark does if I packet-capture it
    Domain Name System (response)
   type HTTPS, class IN
   type HTTPS, class IN
                Type: HTTPS (HTTPS Specific Service Endpoints) (65)
                Class: IN (0x0001)
                Time to live: 300 (5 minutes)
                Data length: 58
                SvcPriority: 1
                    SvcParam: ALPN
                        SvcParamKey: ALPN (1)
                        SvcParamValue length: 3
                        ALPN length: 2
                        ALPN: h2
                    SvcParam: IPv4 Hint
                        SvcParamKey: IPv4 Hint (4)
                        SvcParamValue length: 8
                    SvcParam: IPv6 Hint
                        SvcParamKey: IPv6 Hint (6)
                        SvcParamValue length: 32
                        IP: 2606:4700::6812:10ca
                        IP: 2606:4700::6812:11ca

indeed that ’ s what ’ s happening :

  1. Safari on Big Sur can load some websites you’ve blocked in /etc/hosts, because it gets their IP addresses from these new HTTPS records
  2. It can only do that for some sites, because most domain name operators haven’t set this up yet. It looks like Cloudflare has done this for everyone on their platform; fortunately most domain name operators, including the advertising/tracking/malware giants, haven’t caught on to this yet.

For now, you can keep using /etc/hosts for sphere names that you amply control .
In the interim, for other domains, you have some options :

  • you could run a local DNS server or firewall on your home network that blocks these requests
  • you could configure a local DNS resolver daemon on your mac, and use it to
    block these requests
  • you could switch to a Linux distribution where a configurable local resolver daemon is the default
  • you could stop using Safari, although other apps using the default macOS networking stack may continue silently bypassing /etc/hosts

Chrome has run some trials for this but does not appear to have implemented it even. Firefox has started implementing it but doesn ’ thymine seem to have gotten besides far .

Leave a Reply

Your email address will not be published.