Warning: DNS encryption in Little Snitch 6.1 may occasionally fail
UPDATE: Spoke too soon…
The problem discussed here turned out to be specific to Little Snitch 6.1 and not a general issue in macOS. It has already been fixed in Little Snitch 6.1.1.
See the end of the article for details.
DNS Encryption 101
When you enter a hostname in your web browser (e.g., apple.com), that name must first be translated into an IP address so your computer can connect to the server. This lookup is usually performed unencrypted, meaning your Internet provider and other parties monitoring your connection can see which sites you visit. To protect these lookups from prying eyes, Little Snitch 6 offers a new feature: DNS encryption. With DNS encryption enabled, all name lookups are routed through Little Snitch and performed in encrypted form.
For this purpose, Little Snitch registers a DNS proxy. macOS then sends all DNS requests to that proxy, which in turn performs the lookup in encrypted form. The key point here is that all requests must be routed through the proxy.
But…
While investigating a DNS-related issue on macOS 15 Sequoia, we discovered that some DNS requests—particularly those made via certain low-level legacy APIs—were not being received by our proxy!
There appears to be a bug in macOS Sequoia causing some requests to bypass the installed DNS proxy and be sent unencrypted to the system’s default name server instead.
Note that this bug likely affects any kind of DNS proxy, not just Little Snitch.
So, if you rely on the new DNS encryption feature of Little Snitch 6, or if you are using another third-party DNS proxy, be aware that some DNS lookups may bypass the proxy until Apple provides a fix in a future macOS update.
Note: DNS lookups performed via higher-level APIs do not appear to be affected by this bug. For example, your web-browsing in Safari or Chrome still fully benefits from encrypted lookups. Firefox, on the other hand, does seem to be affected.
How to Reproduce
- Enable DNS encryption in Little Snitch > Settings.
- Start Wireshark with a capture filter for
port 53
. - Run the following code in an Xcode playground:
import Foundation
let domain = "dnsproxytest.com"
var result: UnsafeMutablePointer<addrinfo>?
let status = getaddrinfo(domain, nil, nil, & result)
You will notice that the lookup for dnsproxytest.com
can be seen in Wireshark in unencrypted form on UDP port 53 (the default for unencrypted lookups).
Additionally, you will see that Little Snitch Network Monitor does not display any traffic for the lookup because the lookup completely bypasses the network filter!
We have reported this bug to Apple and hope for a fix soon. Please stay tuned, we will keep you updated here.
Update 2024-09-17, 19:10
After further investigation, we found that this bug has already existed at least since macOS 14.5 Sonoma (maybe even earlier, but we currently don’t have access to an older 14.x system for testing).
Update 2024-09-18, 12:05
After further investigation, we found that this bug only affects the DNS proxy of Little Snitch 6.1. It’s not a general problem of DNS proxies in macOS. We will therefore be able to fix this issue at our end and provide an updated version of Little Snitch 6 later today.
Update 2024-09-18, 15:52
The issue has been fixed in Little Snitch 6.1.1.