iOS allows DNS request to escape the VPN tunnel

Always-on VPN that tunnels <i>everything</i> requires MDM commissioning. It&#x27;s documented by Apple.<p>See the section &quot;Always On VPN&quot;: <a href="https:&#x2F;&#x2F;support.apple.com&#x2F;guide&#x2F;deployment&#x2F;vpn-overview-depae3d361d0&#x2F;web" rel="nofollow">https:&#x2F;&#x2F;support.apple.com&#x2F;guide&#x2F;deployment&#x2F;vpn-overview-depa...</a><p>Is it dubious that Apple doesn&#x27;t let VPN apps do this as well? Maybe. But this is known and documented.

&gt; We confirm that iOS 16 does communicate with Apple services outside an active VPN tunnel. Worse, it leaks DNS requests. #Apple services that escape the VPN connection include Health, Maps, Wallet.We used @ProtonVPN and #Wireshark

Add Android to this: <a href="https:&#x2F;&#x2F;mullvad.net&#x2F;en&#x2F;blog&#x2F;2022&#x2F;10&#x2F;10&#x2F;android-leaks-connectivity-check-traffic&#x2F;" rel="nofollow">https:&#x2F;&#x2F;mullvad.net&#x2F;en&#x2F;blog&#x2F;2022&#x2F;10&#x2F;10&#x2F;android-leaks-connect...</a>

Dupe: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33173163" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=33173163</a>

Related ProtonVpn article:<p>&quot;<i>We’ve raised this issue with Apple multiple times. Unfortunately, its fixes have been problematic. Apple has stated that their traffic being VPN-exempt is “expected”, and that “Always On VPN is only available on supervised devices enrolled in a mobile device management (MDM) solution”. We call on Apple to make a fully secure online experience accessible to everyone, not just those who enroll in a proprietary remote device management framework designed for enterprises.</i>&quot;<p><a href="https:&#x2F;&#x2F;protonvpn.com&#x2F;blog&#x2F;apple-ios-vulnerability-disclosure&#x2F;" rel="nofollow">https:&#x2F;&#x2F;protonvpn.com&#x2F;blog&#x2F;apple-ios-vulnerability-disclosur...</a>

For those looking for a workaround, you can get a VPN router in my case, a GL.iNet Mango[0] router.<p>The great thing: even if the VPN connection drops, it doesn&#x27;t leak your real&#x2F;naked IP, and also &#x2F;all&#x2F; traffic on an iOS device has to pass through the VPN. No special exceptions for Apple traffic.<p>The only caveat is you have to carry this when traveling, which means if you&#x27;re traveling light, carrying this around could be burdensome. If you are at home most of the time though, such a router is invaluable.<p>[0] <a href="https:&#x2F;&#x2F;www.amazon.co.uk&#x2F;GL-iNet-GL-MT300N-V2-Converter-Pre-installed-Performance&#x2F;dp&#x2F;B073TSK26W" rel="nofollow">https:&#x2F;&#x2F;www.amazon.co.uk&#x2F;GL-iNet-GL-MT300N-V2-Converter-Pre-...</a>

And remember... This is WiFi.<p>But over the LTE connection, which is far harder to sniff without very expensive equipment, it could be doing almost anything. And you can&#x27;t even check what it&#x27;s doing.

This type of feature is useful for places like China that need to imprison people that speak out against the ccp.<p>Our tech overlords are not immune to pressures if we teach them how it is abused.

That is why a detached but portable WiFi&#x2F;5G router is for … to block these Apple shenanigans …<p>While your phone is in Airplane mode and regular (but your router’s) WiFi only network

Last that I heard, Raspberry Pi with VPN installed along with PiHole that you SSH&#x2F;VNC (via iOS app) in to is your best option.

Also Google &#x2F; Android, but that doesn&#x27;t get the clicks.

iOS devices are leaky as hell. I once tried blackholing all requests besides those to a VPN service on a router level, and even then my iPhone would just fall back to mobile data for notifications and other Apple services.