macOS Sequoia 15 可能绕过 DNS 加密

在最近发布的 Little Snitch 6。1 中，我们发现影响 DNS 查找的特定问题仅发生在该软件版本中。这个问题现已在 Little Snitch 6。1。1 中得到解决。简单来说，当您在网络浏览器中输入网站的 URL（例如“apple。com”）时，设备需要将人类可读的 URL 转换为互联网协议 (IP) 地址，以与服务器建立连接。通常，这种转换在没有加密的情况下进行，从而允许互联网服务提供商和其他人观察您的在线活动以了解您上网的位置。通过在 Little Snitch 6 中启用 DNS 加密，用户可以保护其 DNS 查询。然而，在对 macOS 15 Sequoia 的 DNS 相关问题进行调查期间，发现一些 DNS 请求，特别是那些利用某些低级遗留 API 的请求，正在逃避 Little Snitch 设置的 DNS 代理，导致它们以未加密的方式进行处理。 It's important to note that this issue potentially impacts any third-party DNS proxy, not exclusively Little Snitch。 If one uses Little Snitch 6's DNS encryption feature, or relies on another third-party DNS proxy, they should bear in mind that some DNS requests might circumvent the encryption setup。 Nevertheless, popular browsers like Safari and Chrome continue to benefit from encrypted DNS lookups。 Meanwhile, Firefox seems to be subject to this issue。 Users who encounter such problems can follow steps such as configuring DNS encryption in Little Snitch settings, starting Wireshark with a filter for port 53, running specific code snippets in an Xcode playground, and monitoring the results for unencrypted lookups。 This malfunction has already been addressed by Apple, though no official fix date has been communicated yet。 Stay informed about updates on this matter。 Despite preliminary findings suggesting that the DNS-issue bug originated as early as macOS 14。5 Sonoma, additional tests are necessary to confirm its presence in previous macOS versions。 Regardless, once the issue manifests itself only with the DNS proxy of Little Snitch 6。1, resolving it is possible through an updated release of Little Snitch 6。 As of writing, the resolution has been implemented in Little Snitch 6

In the recent release of Little Snitch 6.1, it was identified that a specific issue affecting DNS lookups only occurred within this software version. This problem has now been resolved in Little Snitch 6.1.1. In basic terms, when you type a website's URL (such as 'apple.com') into your web browser, the device needs to convert the human-readable URL into an internet protocol (IP) address to establish a connection with the server. Typically, this conversion occurs without encryption, allowing internet service providers and others observing your online activity to see where you go online. By enabling DNS Encryption in Little Snitch 6, users could secure their DNS queries. However, during investigations regarding a DNS-related issue with macOS 15 Sequoia, it was discovered that some DNS requests, specifically those utilizing certain low-level legacy APIs, were escaping the DNS proxy set up by Little Snitch, leading them to be processed unencrypted. It's important to note that this issue potentially impacts any third-party DNS proxy, not exclusively Little Snitch. If one uses Little Snitch 6's DNS encryption feature, or relies on another third-party DNS proxy, they should bear in mind that some DNS requests might circumvent the encryption setup. Nevertheless, popular browsers like Safari and Chrome continue to benefit from encrypted DNS lookups. Meanwhile, Firefox seems to be subject to this issue. Users who encounter such problems can follow steps such as configuring DNS encryption in Little Snitch settings, starting Wireshark with a filter for port 53, running specific code snippets in an Xcode playground, and monitoring the results for unencrypted lookups. This malfunction has already been addressed by Apple, though no official fix date has been communicated yet. Stay informed about updates on this matter. Despite preliminary findings suggesting that the DNS-issue bug originated as early as macOS 14.5 Sonoma, additional tests are necessary to confirm its presence in previous macOS versions. Regardless, once the issue manifests itself only with the DNS proxy of Little Snitch 6.1, resolving it is possible through an updated release of Little Snitch 6. As of writing, the resolution has been implemented in Little Snitch 6

The problem discussed here turned out to be specific to Little Snitch 6.1 and not a general issue in macOS. It has already been fixed in Little Snitch 6.1.1.

See the end of the article for details.

When you enter a hostname in your web browser (e.g., apple.com), that name must first be translated into an IP address so your computer can connect to the server. This lookup is usually performed unencrypted, meaning your Internet provider and other parties monitoring your connection can see which sites you visit. To protect these lookups from prying eyes, Little Snitch 6 offers a new feature: DNS encryption. With DNS encryption enabled, all name lookups are routed through Little Snitch and performed in encrypted form.

For this purpose, Little Snitch registers a DNS proxy. macOS then sends all DNS requests to that proxy, which in turn performs the lookup in encrypted form. The key point here is that all requests must be routed through the proxy.

While investigating a DNS-related issue on macOS 15 Sequoia, we discovered that some DNS requests—particularly those made via certain low-level legacy APIs—were not being received by our proxy!

There appears to be a bug in macOS Sequoia causing some requests to bypass the installed DNS proxy and be sent unencrypted to the system’s default name server instead.

Note that this bug likely affects any kind of DNS proxy, not just Little Snitch.

So, if you rely on the new DNS encryption feature of Little Snitch 6, or if you are using another third-party DNS proxy, be aware that some DNS lookups may bypass the proxy until Apple provides a fix in a future macOS update.

Note: DNS lookups performed via higher-level APIs do not appear to be affected by this bug. For example, your web-browsing in Safari or Chrome still fully benefits from encrypted lookups. Firefox, on the other hand, does seem to be affected.

Enable DNS encryption in Little Snitch > Settings.
Start Wireshark with a capture filter for port 53.
Run the following code in an Xcode playground:

import Foundation

let domain = "dnsproxytest.com"
var result: UnsafeMutablePointer<addrinfo>?
let status = getaddrinfo(domain, nil, nil, & result)

You will notice that the lookup for dnsproxytest.com can be seen in Wireshark in unencrypted form on UDP port 53 (the default for unencrypted lookups).

Additionally, you will see that Little Snitch Network Monitor does not display any traffic for the lookup because the lookup completely bypasses the network filter!

We have reported this bug to Apple and hope for a fix soon. Please stay tuned, we will keep you updated here.

After further investigation, we found that this bug has already existed at least since macOS 14.5 Sonoma (maybe even earlier, but we currently don’t have access to an older 14.x system for testing).

After further investigation, we found that this bug only affects the DNS proxy of Little Snitch 6.1. It’s not a general problem of DNS proxies in macOS. We will therefore be able to fix this issue at our end and provide an updated version of Little Snitch 6 later today.

The issue has been fixed in Little Snitch 6.1.1.

macOS Sequoia 15 可能绕过 DNS 加密 macOS Sequoia 15 may bypass DNS encryption