Little Snitch 6 and DNS Encryption
Little Snitch 6 offers a new feature: DNS encryption. With DNS encryption enabled, all name lookups are routed through Little Snitch and performed in encrypted form.
For this purpose, Little Snitch registers a DNS proxy. macOS then sends all DNS requests to that proxy, which in turn performs the lookup in encrypted form. The key point here is that all requests must be routed through the proxy.
[…]
There appears to be a bug in macOS Sequoia causing some requests to bypass the installed DNS proxy and be sent unencrypted to the system’s default name server instead.
[…]
After further investigation, we found that this bug has already existed at least since macOS 14.5 Sonoma (maybe even earlier, but we currently don’t have access to an older 14.x system for testing).
For more on the Little Snitch 6 upgrade, see the press release, release notes, MacRumors, and TidBITS.
Previously:
- Apple Mail’s Broken “Block All Remote Content”
- Bypassing Little Snitch With Empty TCP Packets
- ContentFilterExclusionList Gone in macOS 11.2 Beta 2
- A Hole in the Wall
- Apple Apps Exempt From Network Filters and VPNs
Update (2024-09-18): Norbert Heger (Hacker News):
After further investigation, we found that this bug only affects the DNS proxy of Little Snitch 6.1. It’s not a general problem of DNS proxies in macOS.
[…]
The issue has been fixed in Little Snitch 6.1.1.
4 Comments RSS · Twitter · Mastodon
It looks like it's actually a LittleSnitch 6.1 specific issue that will soon be fixed (later today):
https://mastodon.obdev.at/@littlesnitch/113158053078599397
Corentin
To be clear, the DNS encryption feature was added in Little Snitch 6, back in May. And I just received an update that fixes the mentioned bug.
This feature can cause problems if you are trying to troubleshoot DNS. For example, from the command line, `dig mjtsai.com @11.22.33.44 +norecurse` should send the request to the server at `11.22.33.44`, but Little Snitch intercepts it and sends it to its configured server instead, and strips the RD flag (+norecurse).
This feature also does not show up as a “profile” — the official, but annoying, way to use DNS encryption in macOS. So it may not be obvious that your DNS is being intercepted unless you remember that you checked that box in the Little Snitch settings. With that said, the feature works great and is basically un-bypassable as far as I can tell (after applying the latest update).
Updated to Version 6.1.1 this morning. Seems it was something in the app that ewas causing the problem.
Yes, this isn't a transparent proxy; it doesn't just forward the messages, it tampers with them. I won't use this. Run a local DNS cache on your network, or use the "official" method (config profile) to get system resolution in the OS and most apps. If you really want encrypted DNS on the move using a local DNS cache, install one (unbound, etc).