Why DNS Encryption matters.

In simple terms, DNS converts a website address to an IP address, the location for the website on the internet. This is so universal that without it you can’t have a very usable internet, or one at all depending on what you are doing. Most people don’t care about it and so they end up using what is default with their ISPs. There are two downsides to this. One is that your ISP can easily track what websites you are visiting and second, your internet experience can be poor if your DNS resolution isn’t fast or stable enough or worse if you are blocked using certain websites by your ISP.

The Privacy Debate.

The first problem can be somewhat solved by using DNS over TLS or DNS over HTTPS with a third party resolver. Much of the web traffic, like logging into your email, happens over HTTPS which is encrypted. Thus sending your DNS requests over HTTPS means those requests are also encrypted protecting you from any snooping from your ISP using DNS. The debate however is that this third party resolver now knows all your DNS history and the trust factor simply moves from your ISP to this DNS provider. Public DNS resolvers like Cloudflare seem to have a decent privacy policy and so I think it’s acceptable to use these resolvers for the average joe.

There is however another alternative and that is to directly request the root DNS servers for DNS resolution. Think of these servers as the master DNS records. The catch however is that this can be slow even with enough caching and its not practical on mobile devices unless you plan to connect your device to something you are running yourself at home - not an option for non tech savvy folks.

Apple’s DNS over TLS and DNS over HTTPS implementation.

Before iOS 14, the only option to change the DNS settings for your iPhone or iPad was to use a tunneling service implementation that would change your DNS and you would see a VPN sign on your iPhone or iPad. Basically this tunneled forwarded all DNS traffic to a particular DNS while other traffic was routed elsewhere. Cloudflare made their own app ‘1.1.1.1’. The problem is that with iOS 14 this workaround has been improved to the point where using it will make a drastic difference because you don’t need a tunneling service anymore. The Cloudflare app for me has always been flaky, especially while on a mobile network. So after WWDC announcement that iOS 14 will support DoT and DoH natively, I was excited to see how much of a difference it would make if my iPhone handled DNS instead of my router or pihole or stubby or unbound or dnsmasq or the several different things I tried. To be honest I was disappointed when I used a couple of free apps on the App Store and even more disappointed that there were only two I could find that actually implemented this six months after WWDC. They didn’t work as well as I thought they would, or I was missing something. I was expecting a drastic change in my browsing speed and stability but that was not the case. Was Apple’s implementation buggy?

So I will shamelessly plug in an app I developed here called PrivateDNS ( https://apps.apple.com/in/app/privatedns/id1547063327 ) that I actually developed for myself because I simply couldn’t find any apps that actually did implement it correctly or efficiently such that they were basically set it and forget it. I would have to go into the app many times and reapply the DNS. I couldn’t understand this behaviour. So after buying the new Apple Silicon Macbook Air I decided to pay the 99$ developer fee (required to use Network Extensions) and see what was going on myself. I decided I wanted an app where I could set DNS over HTTPS or DNS over TLS for a provider and then not bother at all. Then I tested my implementation and not surprisingly, it was just significantly faster and more stable than the other apps I used. It was incredible how much faster my experience was just browsing the web.

Why is it a better option? My take.

I live in India and the cable ISPs here have a spider web infrastructure on top of apartment buildings that have terrible signal to noise ratio mostly outside the DOCSIS recomended standards. Don’t even get me started on the contention ratio. There are rules for it according to TRAI but I don’t think anyone is in compliance and there is probably no way to prove it. Until recently even the mobile network towers were connected by cable and not fiber optic. This could be better in more developed countries (its not necessarily) but the bottom line is most people get two things to their home wired internet: A crappy cable connection and / or a crappy network equipment provided by their ISP. When you use your WiFi router, your router basically acts as a DNS resolution endpoint. So all your DNS requests are first sent to the router. The router then forwards them to the ISP, or if you have manually set it then to the DNS provider you have set. Your router also becomes a caching server so that multiple repeated requests are locally responded rather than request the DNS server every time. And your router has to do this multiple times and constantly. The problem? The routers you get are generally running a really terrible implementation of some age old linux based firmware which likely has plenty of bugs the manufacturer is no longer interested in fixing any of them. Also the processors in them are really slow for non routing tasks such as this. These days you get fancy ARM core routers but you are at the mercy of the manufacturer deciding to improve the performance of your router over launching a new one six months later after paying hundreds of dollars for that one. I mean 700$ for home WiFi 6 mesh is insane. You can build a siginificantly better home network for that much that will receive updates (and with much much more reliable software and firmware) for years. But what if you don’t want to get into all this ? A cheap solution ?

Non tech savvy part.

The non tech savvy good news is that your router / ISP equipment is probably good at routing traffic (its meant to do that primarily) but it can and probably is crappy at doing software related things like DNS resolution and your iPhone or iPad is a sophisticated device with a rock solid and stable software implementation and incredible performance potential for DNS resolution. DNS resolution runs into lot of redirects and your router can and will fail at efficiently handling that. Also running a DNS server for ISPs costs money because its an actual generalized server running a service versus routing which is usually comprised of specialized networking equipment that is incredibly fast because it has to do just one task - router traffic as fast as it can. I have tried a bunch of routers from cheap TPLink 20$ devices to UniFi prosumer stuff and I find that the cheapest and probably more stable solution is to let your device handle the DNS part. I have been using my own implementation last 2 days on my phone. My mobile network would basiclly need like a minute or two of refresh and turning airplane mode on and off to get it work, using CloudFlare DoH with iOS 14’s built in implementation has made things so much better and more stable that I can actually just unlock my phone and get a search result the first time. The iPhone is quite powerful. Most importantly, it is stable at networking.

The bottomline.

Let your iPhone / iPad handle software tasks like DNS and let your router / mobile network handle routing tasks. Also let someone big like CloudFlare handle DNS (they know what they are doing) such that your DNS is both secure and fast. Using DNS over HTTPS means your web traffic looks just like other traffic so you run into less chance of getting your traffic blocked (yes ISPs can do that to force you to use their DNS).

For the concerned.

So for the concerned about my app using private data etc following things I would like to say.

  • The app is open source but if you are concerned if the app is really using the mentioned DNS resolution you can use dnsleaktest.com (please use it to confim your DNS anyway cause I have run into a few bugs as this is more like a beta right now) or use wireshark for more detailed traffic information. I don’t know how else to prove this since opensourcing the code (and even then what is released on the App Store is still binaries so its pointless) but I am looking to add some sort of UI to show you the IP address and URLs for the DNS chosen. There is also a custom DNS setting so if you really don’t trust my DNS list just use that and confirm your settings. I will try and simplify that page more in the future if possible.
  • My app collects no information but your information is going to be sent to the DNS resolvers you have chosen. I think this is still better than your ISP which you should consider is definitely tracking you.
  • Its really a simple set it and forget it app but I will be adding more features since I was in a hurry to release it as I wanted to use it myself and for my family devices. I was just tired of anyone complaining ‘internet is slow’ or something similar.
  • If you find any bugs or have suggestions please open issues on https://github.com/chinmaythosar/PrivateDNSDocs so that I can look into it.

Suggestion if you skipped everything

If you have a family member or non tech savvy friend install this on their phone and by default it uses CloudFlare DoH. Switch the DNS settings to PrivateDNS and you should see far better speeds / stability especially if you use a mobile network or have an ISP supplied modem router or in general one should just use encrypted DNS anyway. A couple of friends told me they saw drastic difference in stability and performance and my own devices witnessed it so I am hoping thats everyone’s experience as well. Thanks apple for finally implementing it. MacOS app is in the works.