from Hacker News

Alarming number of DNS requests made by iOS devices

by stanlarroque on 10/21/17, 11:12 PM with 62 comments

  • by feelin_googley on 10/22/17, 1:32 AM

    I have been logging, redirecting and blocking these queries for these domains and more for years.

    It is one of our biggest complaints about the "new" Apple.

    There is no option for the user to disable the nonstop phoning home. iOS is a BSD-like OS configured so that the user does not fully control it (e.g. can't stop someone else's software from incessantly trying to phone home). The user cannot fully configure it (e.g., can't access HOSTS file). Only Apple can (they get root and they do not even own the device). Important settings are placed off limits to the owners of these devices. This is no fun.

    Turn on an iOS device and it will keep trying to connect to Apple servers; it will not stop. An incredible tracking device if those servers keep logs, irrespective of Apple's reasoning. Not to mention lots of unnecessary network chatter on the home network.

    Clarification: After many years of desensitization to this practice since the first iPhone, it is neither "a secret" nor "scandalous", but it is still disappointing. Moreover, I am not advocating any other mobile OS simply by making a comment about iOS. In fact, none of the "smartphones" being sold today are satisfactory to me as portable computers when compared with the control I get using an open source OS with i386, amd64 or even a development board.

  • by stanlarroque on 10/22/17, 1:43 AM

    UPDATE: I updated my article with a more recent graph with more devices connected.

    Here is a quick CSV export of all the concerned hosts (subdomain + domain) I could pick from my database.

    https://stan.sh/images/ios_domains.csv

    I really want the story behind pancake.g.aaplimg.com

  • by bradknowles on 10/21/17, 11:58 PM

    Yes, iOS does talk a lot to the Apple servers, and apple makes heavy use of Akamai for CDN purposes.

    If you set your iOS device to auto-update overnight, that will typically happen between 3am and 5am. They even tell you that when they set the schedule.

  • by freehunter on 10/22/17, 1:33 AM

    What exactly makes this "alarming"? I could understand "large" or maybe even "unexpected", but if this is background noise, I'm not sure "alarming" really fits here unless we're sure this is bad behavior.

  • by cbanek on 10/22/17, 1:24 AM

    Since you're blocking some DNS requests, do you think a portion of the usage might be retries? If one DNS request could turn into querying all the addresses in your list, I could see an amplification attack happening, and then that happening also on a retry. Look for patterns in querying the individual names?

  • by jey on 10/22/17, 2:19 AM

    Are you sure it's not just a bunch of app store updates and an iCloud backup? That's what I'd expect my phone to be doing at 4am anyway.

  • by domoritz on 10/22/17, 1:33 AM

    I also have a DNS logger and I found that iOS makes a lot of requests to time-ios.apple.com. That one isn't really alarming, though.

  • by yeukhon on 10/22/17, 1:52 AM

    Perhaps not really that big a deal, but the first consequence I can think of is draining battery...

  • by okket on 10/22/17, 8:27 AM

    What exactly is 'alarming' about a cloud device trying to connect to its cloud services? DNS/UDP is the cheapest way of communicating for the device, and, if the DNS servers are not mad and the RR timers are set correctly, also for the name server.

  • by coin on 10/22/17, 2:49 AM

    That animated banner at the top of https://databuster.net is a perfect example of what not to do on a website

  • by hvtuananh on 10/22/17, 2:32 AM

    I run a pi-hole instance at home and observe the same thing. Most DNS requests come from my iOS devices.