Apple’s Safari will take advantage later this year of new encryption technology that protects an important type of network communication called DNS. It’s part of a broader movement to build privacy into internet technology like email and the web that initially sent sensitive data unprotected.
DNS, short for Domain Name System, looks up the numeric internet addresses needed to communicate with online sites we know by human-readable names like cnet.com or wikipedia.org. Loading a website, checking email and many other online activities perform many DNS lookups, but typically they’re not protected with encryption.
Chrome and Firefox add that protection with a standard called DOH, or “DNS over HTTPS.” Apple is embracing the same technology but is enabling it with the operating system, not the browser. And Apple also is offering a related encryption approach called DOT, which uses DNS over TLS, the encryption standard underlying the HTTPS technology for website security.
With iOS 14, iPadOS 14 and MacOS Big Sur arriving later this year, though, Apple will let you add that protection to Safari, too, the company announced this week at its WWDC conference for programmers. Instead of building the protection directly into the browser, though, it’s letting you install an app from a company like Cloudflare or Comcast that offers DOH support.
Apple’s endorsement of DOH and DOT is an important moment for encrypted DNS. It’s hard to retrofit privacy protections to decades-old technologies like DNS that are deeply embedded in the internet, but the shift to encrypted DNS is now well underway. On Thursday, Mozilla also broadened its support with a partnership to let Comcast handle Firefox DOH queries in accordance with Mozilla privacy requirements.
Privacy is a top priority for many tech players right now, and a key part of that push is encryption technology that scrambles data so it’s impenetrable to those without the digital keys to decode it. Apple Chief Executive Tim Cook is arguably the most vocal privacy proponent in the tech world, and in the opening speech at WWDC, software chief Craig Federighi said, “At Apple, we believe privacy is a fundamental human right.”
Not everyone likes encryption, though, as evidenced by proposed legislation like the Lawful Access to Encrypted Data Act and the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act. Both proposals push to make it possible for authorities to get access to encryption keys from tech companies that today often don’t have them.
DOH blocks snooping and tampering
Without encrypted DNS, “other devices on the network cannot only see what names you’re looking up, but they can even interfere with the answers,” said Tommy Pauly, an Apple internet technologies engineer, in one of the online presentations that replaced a real-world conference for this year’s WWDC.
DOH and DOT also help when you’re using a publicly available Wi-Fi network at a place like a hotel or airport, where “your internet usage could be tracked or blocked,” he added.
With Apple’s technique, you’ll be able to download encrypted DNS support and add it to an iPhone, iPad or Mac. Once installed, the DNS setting can be modified through the iOS VPN & Network settings or MacOS System Preferences’ Network section.
An increasing number of companies offer DNS services. Candidates for support on Apple hardware include companies like Comcast and Cloudflare. Comcast didn’t comment for this story, but Cloudflare Chief Technology Officer John Graham Cumming said Apple’s move is “fantastic.”
He praised Apple for having an app approach that makes encrypted DNS easy to install, works well with companies that might need to control DNS for their own operations, and handles encrypted DNS problems that can crop up when using hotel, airport or coffee shop Wi-Fi. “Encrypted DNS is here to stay. We couldn’t be happier,” he said.
Apple’s approach lets apps other than the browser use encrypted DNS. And it should sidestep some objections DOH critics have had about DOH settings — for example, that enabling it by default could send people’s browsing activity data to companies they know nothing about.