
Alarming number of DNS requests made by iOS devices - stanlarroque
https://stan.sh/posts/dns-requests-of-ios-devices
======
feelin_googley
I have been logging, redirecting and blocking these queries for these domains
and more for years.

It is one of our biggest complaints about the "new" Apple.

There is no _option_ for the user to disable the nonstop phoning home. iOS is
a BSD-like OS configured so that the user does not _fully_ control it (e.g.
can't stop someone else's software from incessantly trying to phone home). The
user cannot fully configure it (e.g., can't access HOSTS file). Only Apple can
(they get root and they do not even own the device). Important settings are
placed off limits to the owners of these devices. This is no fun.

Turn on an iOS device and it will keep trying to connect to Apple servers; it
will not stop. An incredible tracking device if those servers keep logs,
irrespective of Apple's reasoning. Not to mention lots of unnecessary network
chatter on the home network.

Clarification: After many years of desensitization to this practice since the
first iPhone, it is neither "a secret" nor "scandalous", but it is still
_disappointing_. Moreover, I am not advocating any other mobile OS simply by
making a comment about iOS. In fact, none of the "smartphones" being sold
today are satisfactory to me as portable computers when compared with the
control I get using an open source OS with i386, amd64 or even a development
board.

~~~
freehunter
>iOS is a BSD-like OS configured so that the user does not _fully_ control it

Oh come on. You act like this is some malicious or unexpected new behavior
when this is how Apple has behaved for at least 15 years now. And if the BSD
guys didn't want their software used in that fashion, they'd change their
license. But since BSD wrote their own license that allows for that, they
explicitly approve of it.

Don't act like you're scandalized about discovering the _big secret_ that
_Apple_ won't let you _fully_ control your _iPhone_ in _2017_.

~~~
tomcam
How do you know when the parent poster knew what? Must all Apple users know
the entire history of Apple device DNS usage? Where is the universally known
documentation on such usage?

~~~
akerl_
I'd expect somebody commenting about "the 'new' Apple" to have awareness of
Apple's historical activity, yes.

------
stanlarroque
UPDATE: I updated my article with a more recent graph with more devices
connected.

Here is a quick CSV export of all the concerned hosts (subdomain + domain) I
could pick from my database.

[https://stan.sh/images/ios_domains.csv](https://stan.sh/images/ios_domains.csv)

I really want the story behind pancake.g.aaplimg.com

~~~
kirb
Some quick explanations of non-obvious ones:

mesu, su: software update

pancake: looks like home sharing?
[https://stackoverflow.com/questions/26900625/what-is-
pancake...](https://stackoverflow.com/questions/26900625/what-is-pancake-
apple-com)

phobos, mzstatic: App/iTunes store, possibly also Apple Music

apptrailers: App Store app demo videos?

streamingaudio: Apple Music?

iphonesubmissions, radarsubmissions: crash report upload

guzzoni: Siri

appldwnld: firmware downloads

gs: firmware signature generator/verifier

albert: device activation

ckdatabase, ckdevice: CloudKit, like iCloud 2.0

keyvalueservice: old iCloud sync service, still used with text shortcuts sync

fmf: Find My Friends

fmip: Find My iPhone

All in all just looks normal, there's a lot of features in iOS/macOS/iTunes
etc etc and they all have their own respective hostnames, possibly many for
old school random-hostname-based load balancing, etc. Seems pretty normal that
your users would be downloading apps (or the phone downloading updates
automatically), playing Apple Music, updating iOS, etc. Spammy, but not that
big a deal. I'd imagine rather similar from Android by filtering to Google,
Samsung, etc hosts.

------
bradknowles
Yes, iOS does talk a lot to the Apple servers, and apple makes heavy use of
Akamai for CDN purposes.

If you set your iOS device to auto-update overnight, that will typically
happen between 3am and 5am. They even tell you that when they set the
schedule.

~~~
stanlarroque
I disabled all that, and background app refresh as well.

I am getting a huge database of these logs because of my users. Maybe someone
can help me investigate because there is definitely something going on.

Here is a preview: [https://stan.sh/images/log-
example.png](https://stan.sh/images/log-example.png)

~~~
AdamJacobMuller
"something" going on? like, the manufacturer of a device who provides cloud
services with that device is speaking to their servers to provide services
that the customer wants? Very alarming.

~~~
stanlarroque
I understand iCloud, iTunes, and all other apple services need to communicate
with their servers. My point is to question why do they need more than 1000
hosts for their endpoints? It only look suspicious in my eyes.

[https://stan.sh/images/ios_domains.csv](https://stan.sh/images/ios_domains.csv)

~~~
kalleboo
One area where Apple uses a large amount of domain names on purpose is for
their captive portal detection. Supposedly they do this on purpose so that
captive portals can't try to hard-code a list of domains in order to white-
list/fool it.

~~~
im3w1l
Device: Am I on a captive portal? Nonce.

Apple server: No. Same Nonce. Cryptographic signature.

If different response: Captive portal. If no response: No internet.

~~~
im3w1l
Oops, this doesn't actually work, because the captive portal can just let that
one request through unmodified...

------
freehunter
What exactly makes this "alarming"? I could understand "large" or maybe even
"unexpected", but if this is background noise, I'm not sure "alarming" really
fits here unless we're sure this is bad behavior.

------
cbanek
Since you're blocking some DNS requests, do you think a portion of the usage
might be retries? If one DNS request could turn into querying all the
addresses in your list, I could see an amplification attack happening, and
then that happening also on a retry. Look for patterns in querying the
individual names?

~~~
stanlarroque
I do not block these requests. However I am pretty sure Apple does some DNS
tunneling.

Also, some iOS specific requests happen when there is no other DNS activity at
all.

~~~
cbanek
> However I am pretty sure Apple does some DNS tunneling.

That seems very reasonable. It would be better than hardcoding IP addresses
and safer than straight DNS for management things. Maybe their implementation
of that doesn't have a very long TTL?

------
jey
Are you sure it's not just a bunch of app store updates and an iCloud backup?
That's what I'd expect my phone to be doing at 4am anyway.

------
domoritz
I also have a DNS logger and I found that iOS makes a lot of requests to time-
ios.apple.com. That one isn't really alarming, though.

~~~
freehunter
I'm still amazed that computers are so terrible at telling reliable time
without connecting to a network constantly. I've seen computers with a fully-
functional CMOS battery lose 5 minutes a month without a network connection.
Mind blowing.

~~~
LeoPanthera
That _is_ surprising, so surprising that I have to assume the computer in
question was running some kind of misbehaving ntpd that was skewing the clock.

A good quality quartz crystal is accurate to about 15 seconds a month. Even
the cheap ones can manage 30 seconds a month.

~~~
freehunter
My car loses about 3 minutes per month, and it has no ability to query NTP.
Oddly enough my SUV _gains_ about a minute per month.

------
yeukhon
Perhaps not really that big a deal, but the first consequence I can think of
is draining battery...

~~~
natch
Well the author sort of neglected to state whether the device was charging at
the time, which makes a difference. No doubt it wasn’t _always_ charging but
it would be fair to clarify when it was. The OS has some activities like
checking for updates that it is more likely to do if tethered to power.

Also some of the activity can be related to measures that actually save power.
For example, before attempting to do a heavy download of data provided by apps
that implement background data downloading, it makes sense to first check the
quality of the network connection.

I’d suggest everyone just chill and realize there can be good reasons for
things, not just bad reasons. And consider the possibility that Apple is not
stupid when it comes to power management.

------
okket
What exactly is 'alarming' about a cloud device trying to connect to its cloud
services? DNS/UDP is the cheapest way of communicating for the device, and, if
the DNS servers are not mad and the RR timers are set correctly, also for the
name server.

------
coin
That animated banner at the top of
[https://databuster.net](https://databuster.net) is a perfect example of what
not to do on a website

~~~
freehunter
You must be seeing something different than I am. I don't see anything
animated on that page, with no ad or content blockers running.

------
hvtuananh
I run a pi-hole instance at home and observe the same thing. Most DNS requests
come from my iOS devices.

