iPhone: Privacy Warning

ericafterdark

I noticed my iPhone warns me about a privacy issue since I started using pfSense.

Privacy Warning

This network is blocking encrypted DNS traffic.

The names of websites and other servers your device accesses on this network may be monitored and recorded by other devices on this network.

My pfSense DNS configuration is pretty much default. I did not change anything so this is just the DNS Resolver at work.

Enabling the Enable SSL/TLS Service does not seem to resolve the problem.

Any clues?

AndyRH

New Apple feature to encourage you to use their DNS servers, I suspect for tracking.
All of my fruity devices have that warning. It lets me know I am not using the Apple DNS servers, but my own.
If you get that message on an untrusted network then someone else may be tracking you. VPN time...
In the end someone will track you.

ericafterdark

@andyrh said in iPhone: Privacy Warning:

New Apple feature to encourage you to use their DNS servers, I suspect for tracking.
All of my fruity devices have that warning. It lets me know I am not using the Apple DNS servers, but my own.
If you get that message on an untrusted network then someone else may be tracking you. VPN time...
In the end someone will track you.

Apple has DNS servers they push to clients when you're on your own wireless network?

I think the problem might be that the pfSense sends a private IPv4 DNS and a public IPv6 DNS address to my clients. The public one might be causing the issue I think.

AndyRH

Yes, Apple supplies an encrypted DNS for "your privacy". There are many articles about it.
There are several ways to break it and get that warning. They will get better at not letting it get broken.
The same way they alter the MAC address and hose other things.

Both have a good place and time to be used. IMHO on my trusted network is not the time or place.

johnpoz

@andyrh said in iPhone: Privacy Warning:

IMHO on my trusted network is not the time or place.

Exactly!! Here is my shit ipad thinking it can use apple doh servers

I resolve to a BS IP that I block and log..

Not shown is also my stupid iphone trying the same nonsense..

ericafterdark

Well, I deleted the network ('forgot' as Apple calls it) and reconnected. Result: no more warning. For now I guess.

Maybe activating SSL/TLS Service on the DNS Resolver did fix something after all.

johnpoz

@eirikrcoquere said in iPhone: Privacy Warning:

Maybe activating SSL/TLS Service on the DNS Resolver did fix something after all.

I don't think so - the gui would setup dot and not doh. And to point your iphone to your own server running doh or dot you would need to create a profile you load, etc.

I do believe that unbound can do doh, but I do not think setting it up is exposed in the gui.. That is for running a local dot server.. And I also believe that unbound has to be compiled with the ability
"--with-libnghttp2" Which I do not believe the version on pfsense has?

But unless you setup the profile you loaded on your phone, I don't see how it would point to your local unbound running on pfsense be it dot or doh. There is I am sure apps you could install that point your iphone to some service doing dot or doh. like cloudflare, googledns, etc. But I do not believe without loading your profile you could point to some local dot or doh server you were running. Unless there is some app I am unaware of that makes it easier then loading the profile you create.

Keep in mind there also difference between forwarding your unbound to a dot server, and running dot locally, or doh.. Forwarding to a dot server would not prevent your phone from showing you that privacy warning. Now it might have gone away when you forgot the network, but most likely the warning will come back if you are blocking it from talking to the apple doh server.

For reference
DOT = dns over tls which by default uses 853, but can use other ports
DoH = dns over https which by default uses the standard 443 port, but also can use other ports as well.

Neither of which really provide any privacy in the big picture because your isp can still see where you go via IP, and even when you go to https until such time that encrypted sni is actually a real thing they can see the sni your going to in the tls handshake, etc.. So while they might not easy get your dns queries they sure know the fqdn your going to for your https traffic, and anything in the clear, etc. So your not really actually hiding anything from your isp in the big picture.

bingo600

I still have to "Block DoH" in pfSense.
Does anyone have a "neat" url to a "decent Recipe" ?

I do have this on my piHole though , and my phone vlan uses the piHole for resolving.

/Bingo

ericafterdark

@johnpoz said in iPhone: Privacy Warning:

@eirikrcoquere said in iPhone: Privacy Warning:

Maybe activating SSL/TLS Service on the DNS Resolver did fix something after all.

I don't think so - the gui would setup dot and not doh. And to point your iphone to your own server running doh or dot you would need to create a profile you load, etc.

I do believe that unbound can do doh, but I do not think setting it up is exposed in the gui.. That is for running a local dot server.. And I also believe that unbound has to be compiled with the ability
"--with-libnghttp2" Which I do not believe the version on pfsense has?

But unless you setup the profile you loaded on your phone, I don't see how it would point to your local unbound running on pfsense be it dot or doh. There is I am sure apps you could install that point your iphone to some service doing dot or doh. like cloudflare, googledns, etc. But I do not believe without loading your profile you could point to some local dot or doh server you were running. Unless there is some app I am unaware of that makes it easier then loading the profile you create.

Keep in mind there also difference between forwarding your unbound to a dot server, and running dot locally, or doh.. Forwarding to a dot server would not prevent your phone from showing you that privacy warning. Now it might have gone away when you forgot the network, but most likely the warning will come back if you are blocking it from talking to the apple doh server.

For reference
DOT = dns over tls which by default uses 853, but can use other ports
DoH = dns over https which by default uses the standard 443 port, but also can use other ports as well.

Neither of which really provide any privacy in the big picture because your isp can still see where you go via IP, and even when you go to https until such time that encrypted sni is actually a real thing they can see the sni your going to in the tls handshake, etc.. So while they might not easy get your dns queries they sure know the fqdn your going to for your https traffic, and anything in the clear, etc. So your not really actually hiding anything from your isp in the big picture.

Ah, that is true. I am not working with profiles on my devices so I can safely disable that functionality again.

Still I think it is weird that Apple is displaying that warning. I have a default straight forward setup. It's not like I am filtering anything on the pfSense. It's plain old DNS Resolver at work with default settings.

johnpoz

@eirikrcoquere said in iPhone: Privacy Warning:

It's plain old DNS Resolver at work with default settings.

Well does that fqdn resolve? There is AAAA for it.. So maybe just having issue with your IPv6..

ericafterdark

@johnpoz said in iPhone: Privacy Warning:

@eirikrcoquere said in iPhone: Privacy Warning:

It's plain old DNS Resolver at work with default settings.

Well does that fqdn resolve? There is AAAA for it.. So maybe just having issue with your IPv6..

The pfSense pushes two DNS IPs to the clients. An IPv4 and IPv6 address. The IPv4 one is private LAN, the IPv6 is a public address. I think because that's the way my IPv6 is configured. My ISP hands out a /48 and I assign /64s. Track Interface functionality on the LAN interface.

johnpoz

@eirikrcoquere said in iPhone: Privacy Warning:

Track Interface functionality on the LAN interface.

Just a theory mind you - but you ipv6 was working.. So no warning it could talk to its doh server. Then your IPv6 range changed. And now can not talk to doh server on IPv6 = warning..

It comes down to this - apple device can not talk to its doh servers, whatever the reason = most likely get a warning that your dns is not private.. Who cares is my point.. No shit I don't want my dns set to your servers in the freaking first place ;) hehehe

ericafterdark

@johnpoz said in iPhone: Privacy Warning:

@eirikrcoquere said in iPhone: Privacy Warning:

Track Interface functionality on the LAN interface.

Just a theory mind you - but you ipv6 was working.. So no warning it could talk to its doh server. Then your IPv6 range changed. And now can not talk to doh server on IPv6 = warning..

That does make sense….! I’ll check and verify next time it happens and report back.

NeddieTone

This post is deleted!

DefenderLLC

This setting has to do with disabling the "Private Wi-Fi Address" setting for each Wi-Fi network your iOS, iPadOS, and watchOS devices have joined. The purpose of this feature is to mask your device's real MAC address with a randomized MAC address. This warning is just indicating that this security feature has been turned off on the selected Wi-Fi network.

If you re-enable this setting (the default is enabled) on the given Wi-Fi network, then that warning will go away; however, that may cause issues if you secure your wireless network with MAC address filtering or use DHCP reservations.

I personally disable this setting on my devices while on my own Wi-Fi networks.

johnpoz

@cloudified while that might be part of it.. There is a warning if you turn off private addresses, there is also another warning that can pop up about insecure dns.

Which is what the user asked about

This network is blocking encrypted DNS traffic.

I thought for that encrypted dns warning at least so far, maybe something changed with the latest 16.1 ios update you had to have some app trying to use encrypted dns to get that warning. The ios itself doesn't try and use that native.

I just looked and I for sure block doh and dot, so highly unlikely any of that is getting outbound. But all I get is the privacy warning about private wifi address is turned off.

DefenderLLC

@johnpoz said in iPhone: Privacy Warning:

@cloudified while that might be part of it.. There is a warning if you turn off private addresses, there is also another warning that can pop up about insecure dns.

Which is what the user asked about

This network is blocking encrypted DNS traffic.

I thought for that encrypted dns warning at least so far, maybe something changed with the latest 16.1 ios update you had to have some app trying to use encrypted dns to get that warning. The ios itself doesn't try and use that native.

I just looked and I for sure block doh and dot, so highly unlikely any of that is getting outbound. But all I get is the privacy warning about private wifi address is turned off.

There have been no changes in any of the iOS 16 or 16.1 developer beta notes about checking for DNS encryption that I can recall.

johnpoz

@cloudified here is the warning the OP was talking about.

https://developer.apple.com/forums/thread/661116

If you google you will find lots of people complaining/asking about it - how to make it go away, etc.

DefenderLLC

@johnpoz said in iPhone: Privacy Warning:

@cloudified here is the warning the OP was talking about.

https://developer.apple.com/forums/thread/661116

I just read the release notes, so I didn't see this forum post until now, so thanks for sharing it.

NeddieTone

This post is deleted!