[dns-operations] DNS over TCP query uptick with iOS 13?

David opendak at shaw.ca
Wed Oct 9 14:50:38 UTC 2019 

On 2019-10-09 8:36 a.m., Joe Abley wrote:
> On 9 Oct 2019, at 09:51, David <opendak at shaw.ca> wrote:
> 
>> On 2019-10-09 3:28 a.m., Vladimír Čunát wrote:
>>> On 10/9/19 8:53 AM, Xavier Beaudouin wrote:
>>>> I saw that DNS over TLS (not TCP) eg port 853/TCP is more and more used.
>>> I expect that's due to newer Androids getting to more people? (i.e. it seems unrelated to OP)
>>> https://android-developers.googleblog.com/2018/04/dns-over-tls-support-in-android-p.html
>>
>> Yeah we see that too but you are correct we are referring to normal plain-old DNS over TCP. We're now at 10x the query rates compared to pre-iOS 13, which is still not a lot but is growing each day.
> 
> Are there any obvious patterns with QNAMEs or with the servers that receive those queries? I wonder whether there's some new query pattern that has started triggering large responses and whether what we are seeing is iOS falling back to TCP transport due to failures in receiving fragments. It'd be interesting to look for other increases within the messages being exchnged over TCP, e.g. an unusual preponderance of DO=1 or QTYPE=TLSA or something.

The queries I've seen from these are pretty basic and all fit without 
needing EDNS or TCP. I'm also not entirely sure it's due to any loss 
detection either, as when they do switch to doing over TCP we don't 
immediately see the previous over-UDP-query again.

> 
> The observation reminds me of the iOS release that started pulling root zone DNSSEC trust anchors from data.iana.org <http://data.iana.org/> almost a decade ago. The CDN stats for data.iana.org <http://data.iana.org/> at the time revealed what looked initially like a step function but in fact was a steep curve tracking iOS upgrades amongst the iPhone-owning public. We found someone at Apple to talk to at the time to confirm that our interpretation was correct. If iOS deployment is the curve you're seeing, then I imagine you can expect more growth than 10x before you see a plateau.
> 

We've been in touch with the Apple NOC and provided them captures, 
hoping that they can engage the appropriate resources internally to 
confirm what is going on.

> Of course, many commonly-used applications tend to upgrade around an iOS upgrade. With iOS 13 there seem to be many popular social media apps releasing versions with this "dark mode" that I understand the youth like now.
> 

Yeah - the spread of names is not application specific so does look like 
the iOS resolver itself doing it, and not a specific application bug 
(like the snapchat NTP issue a few years ago where it probed every 
country code out there repeatedly).

> 
> Joe
>

More information about the dns-operations mailing list