[Not] Pi-hole and iOS 18.4.1/18.5

A warning of nasty surprises to come.

May 01, 2025

Update:

After receiving some data points that other people on those versions have not been experiencing this, and some digging with Wireshark, it turned out that it was not, strictly speaking, the iOS updates that were responsible for this. It was a little weirder than that.

Looking at packets did reveal the iPhones making DNS-over-HTTPS queries to places they weren't supposed to, and digging further revealed that somehow - and figuring out how is going to occupy me for some considerable time, I suspect - someone slipped them a mickey.

Somehow they both ended up with a device configuration profile installed that was not supposed to be there. I have no idea how that managed to end up installed and activated without the usual manual permission prompts drawing the attempt to do so to our attention, and yet there it was, in our base pwning our DNS.

A couple of erase-and-resets later, and normal operation has been restored. To the iPhones, anyway. (The less said about my paranoia the better.)

Not, you understand, that I would complain if someone has all the details of how to make iOS play nice again to pull out of their pocket before I find time to figure it out myself.

So, having recently updated to iOS 18.4.1 and/or 18.5 (yes, the beta), I note that ads and other such things are no longer blocked on iPhones hereabouts, which ordinarily Pi-hole takes care of nicely.

This is definitely not a Pi-hole issue, insofar as it continues to work just fine for every other device on the network: evidently Apple have figured out some ingenious way to bypass local DNS servers. (Even though it claims to be using said DNS servers - which I suppose is true for local addresses, while lying through its damn teeth otherwise.) Until a means is found to block this new perversion, y’all may want to upgrade cautiously to 18.4.1 and beyond.

Damn their sleek and shiny hides.

(I also note that the iPhones not playing ball has changed my average percentage queries blocked from in the 13-14% range down to 0.7% blocked. Don't you just love 'em?)

My Setup, For Those Bothered To Repro

Very standard IPv4/IPv6 setup: Pi-hole queries OpenDNS, and in turn local DNS servers forward all non-local queries to Pi-hole. Everything else goes via those servers, only those servers query the Pi-hole directly, and they never make recursive queries of their own.

Versions:

Core
Version is v6.0.6-66-g3cbaee7 (Latest: null)
Branch is development
Hash is 3cbaee7b (Latest: 3cbaee7b)

Web
Version is v6.1-60-ge851470e (Latest: null)
Branch is development
Hash is e851470e (Latest: e851470e)

FTL
Version is vDev-f0966a9 (Latest: null)
Branch is development

Random Bytes

Discussion about this post