Warning: DNS encryption in Little Snitch 6.1 may occasionally fail

>so presumably there's some other low-level non-blocking call

Correct, CFNetwork is open source so you can check implementation but last I remember it used some variant like `getaddrinfo_async`. But Apple really doesn't want you (the end-user) to use getaddrinfo (or the async variant CF exposes) to resolve an IP and then directly connect() via that ip, everything is geared towards connect-by-hostname since then Apple's can internally handle the implementation of happy-eyeballs.

Edit: You can read https://www.ietf.org/proceedings/72/slides/plenaryw-6.pdf for their thoughts on why they don't like the getaddrinfo() model [there are speaker notes at the bottom of each slide]

> It's a little weird to me that getaddrinfo() is considered a "low-level legacy API"

I don't think it is considered legacy. The blog post gets that wrong.

(Whether it's "low-level" or not just depends on your perspective.)

> getaddrinfo() is the way to resolve names on Linux

Not at all. That's just a glibc function, it's got nothing to do with Linux. People just assume that glibc is how things are done in Linux user space but it doesn't have to be that way. For example, systemd came up with its own resolved mechanism which turned out to be much better than the glibc stuff. I will probably end up inventing my own at some point as well since I'm working on freestanding software targeting Linux.

> getaddrinfo() is the way to resolve names on Linux and I suspect the *BSDs.

At least on OpenBSD, all classical/standard DNS functions (getaddrinfo/gethostbyname/...) are wrappers around OpenBSD's libc asr implementation, written by Eric Faurot.

https://man.openbsd.org/man3/asr_run.3

https://github.com/openbsd/src/tree/master/lib/libc/asr

> Maybe things are drastically different on macOS, but getaddrinfo() is the way to resolve names on Linux and I suspect the *BSDs.

I'm not sure if this is the case in this case, but it might be worth noting that some system functions with the same name have drastically different internal/implementation differences between Linux/*BSD/MacOS. With there being differences between the *BSDs too.

So on some systems one function call is "the way", because its been maintained over the years, but then on another it might actually be old and not useful.

Everything in the UNIX compatibility layer is low-level in macOS. Not necessarily "legacy" though.

But this is no different than saying that, for example, calling out platform-specific native OS APIs from Java is "low-level." Which it is, from the perspective of compile-once, run-anywhere Java applets. macOS is a NeXT-compatible non-UNIX API, and you are supposed to use the macOS frameworks for everything. Calling down to BSD or even mach is definitely not what Apple wants you to do.

For quite some versions that modern networking APIs on macOS using Objective-C frameworks, starting in 2018.

See WWDC 2018's "Introducing Network.framework, A modern alternative to sockets".

NeXTSTEP might have been a UNIX, and macOS derives from it, but the whole UNIX story has always been to bring UNIX software into the platform, not to make it easier to move elsewhere.

I'll pile on, as someone who has never developed for Apple systems: What APIs are supposed to be used for DNS resolution?

  * Host file
  * Configured DNS server
  * App-specific DNS server if it exists

What "API" is there? Why doesn't an app doing system-wide DNS modifictions just modify the settings for default resolver?

Of course, Apple does not want their app to call `getaddrinfo()` directly, because it would interfere with their internal XDR/NDS/IPS mechanism.

I can’t blame them but I personally would still have my apps use them, even knowingly that it would be made off-limit to iOS/iPadOS apps … soon.

The correct term is "heirloom".

Yeah, this report seems a little spun. The essence is basically that the encrypted DNS needs to go through the proxy, and there's resolver code elsewhere in the OS that doesn't use the proxy. It's a bug, sure. It could plausibly have interesting exploits, though none are shown. But it's not a very interesting bug.

Wait until you try to get the mac address on an iphone.

Yes, things are drastically different on MacOS. There's like a whole nother level of APIs ip there

/s

Dang can we get an update to the title to reflect this?

Did they test it ever worked with getaddrinfo? Or did they just see it worked once with CFNetwork and called it a day and then later publish a blog post saying it’s broken?

It's ridiculous us developers still have to jump through hoops to save around older versions of the OS for testing. There is 0 technical reason why Apple can't let us downgrade.

Which is pretty wild too, considering they're selling the product and the new OS came out yesterday.

I can't reproduce this. Some people say it has to do with ESET: https://www.reddit.com/r/MacOS/comments/1fievr5/updating_mad...

Before Sequoia when using OpenDNS for VPN, could be on VPN and iMessage and other apps still work, but since Sequoia, when on VPN iMessage (text messages) etc no longer work. Once I disconnect to VPN all goes through. Is this related at all? Do have macOS firewall enabled. But not block all incoming connections.

After upgrading to Sequoia, I could not browse with Safari or Mozilla. What fixed it for me was to go to the DNS settings for my Wi-Fi connection, and add Google's DNS servers (8.8.8.8. and 8.8.4.4). They replaced the autofilled DNS servers that were there.

Honestly, I'm fine with that. Applications themselves should not be resolving DNS outside of what I set in settings.

The reasons applications do this is to prevent users from blocking telemetry etc. It's my computer, I should have final say on what goes out.

Devil's advocate would say: They could do this and make it look like a bug that never gets fixed in order to avoid backlash. How it gets achieved is flexible if the goal is met.

Yeah, if it was intentional, it would probably be a hard-coded, encrypted URL. Some devices are starting to do that to get around ad blocking.

If the OS allows the registration of a DNS proxy, and some calls bypass the proxy, it's squarely an OS bug.

getaddrinfo() is not a legacy API, it's a standard cross platform API for doing DNS lookups.

Apple removed support for kernel extensions, and instead added a bunch of APIs that allow to do network filtering etc in user space. Unfortunately, some of their networking code just bypasses those network filter extensions (probably because of bugs) -- this is not the first time the developers of Little Snitch publicized a bug like this.

What am I missing here? Reading the article, it appears that Firefox is the browser that seems to be bypassing.

See: https://waclaw.blog/macos-firewall-blocking-web-browsing-aft...

If disabling the firewall (for testing) solves this problem, this is likely your issue.

No this appears to be if an application registers a DNS resolver proxy on the local system, getaddrinfo doesn't use the proxy, and presumably just hits whatever the network interface's configured DNS server is.

If pihole is using DNS encryption for upstream lookups, the this would only affect you on your local network.

In other words, it would be unencrypted to the pihole but encrypted when going out to the internet.

I would believe so. I have a custom DNS profile setup that redirects a few domains to a server I run. The server has custom SSL certs issued by a private CA. I the certificate installed on iOS as a trusted root certificate.

Everytime I'm connected to my home WiFi I would randomly get `peer closed connection in SSL handshake (104: Connection reset by peer)`. I have absolutely no clue why it does this and this issue goes away when I'm connected on mobile data.

Now I'm guessing that it is bypassing the DNS profile and resolving it using my ISPs DNS or some other way.

> UPDATE: Spoke too soon… The problem discussed here turned out to be specific to Little Snitch 6.1 and not a general issue in macOS.

Not really.