Christmas party: iOS has a public API to query DNS encrypted but Android does not

[arlen holder]

What API is on iOS that queries DNS with encryption that isn't on Android?

Yesterday I was at a Christmas party in the Silicon Valley with a few
Google & Apple execs, where I asked everyone why they liked their phone,
and when I said there was nothing on iOS that isn't already on Android (for
free besides), one guy who writes code for both platforms told me that
there are APIs in iOS that are public that are not in Android (public or
private), such as the API to encrypt DNS queries without VPN.

That was interesting since he knew far more than I do, of course, as he's a
VP of a startup company that sells communications equipment to both
companies.

If anyone knows more about that - let me know if you know the specifics.

What API is on iOS that queries DNS with encryption that isn't on Android?

[JF Mezei]

On 2018-12-25 15:47, arlen holder wrote:
> What API is on iOS that queries DNS with encryption that isn't on Android?

The DNS protocol does not include encryption.
DNSsec is not encrypted, but responses from DNS servers are digitally
signed, and DNS clients have the means to verify the signature.


Servers are more and more deploying DNSsec but in terms of computers
(and phones), few implement it by default, but OS-X and I assume IOS
allows apps to use it.

[nospam]

In article <pvu50f$sq1$1...@news.mixmin.net>, arlen holder

<ar...@arlen.com> wrote:

> Yesterday I was at a Christmas party in the Silicon Valley with a few
> Google & Apple execs, where I asked everyone why they liked their phone,
> and when I said there was nothing on iOS that isn't already on Android (for
> free besides), one guy who writes code for both platforms told me that
> there are APIs in iOS that are public that are not in Android (public or
> private), such as the API to encrypt DNS queries without VPN.

at which point you told him that he had only a 5th grade education and
was playing childhood games, that he was lying and you were the only
one with the facts, and then went to socialize with the adults in the
room.

[Alan Browne]

> In article <pvu50f$sq1$1...@news.mixmin.net>, arlen holder
> <ar...@arlen.com> wrote:
>
>> Yesterday I was at a Christmas party in the Silicon Valley with a few
>> Google & Apple execs,

I didn't know groundskeepers, cafeteria staff, janitors and bus drivers
were called execs. Is that a California thing? I have nothing against
these fine workers, of course, but this title mania is out of control IMO.

[arlen holder]

On Wed, 26 Dec 2018 11:08:05 -0500, nospam wrote:

> at which point you told him that he had only a 5th grade education and
> was playing childhood games, that he was lying and you were the only
> one with the facts, and then went to socialize with the adults in the
> room.

Actually, since it was a party where there was a lot going on, we were
conversing at the table where everyone was sampling the expensive wines
near a Faberge egg display, where the following conversation, cross my
heart, took place...

We had conversed for only a few moments, where all these Silicon Valley
execs are my neighbors so we know each other well in the non-professional
environment (I take them on hikes, for example), when I saw exec 1 (let's
call him "AC") pull out his iPhone for some reason - which is when I had
asked him why on earth such a smart guy uses such a dumb phone.

AC was the guy whose teams develop on both Android & iOS where he was the
one to later told me that there are public APIs (yes, plural even) on iOS
that are not on Android, such as the one to handled encrypted DNS (which is
the only API I could get out of him at the rather busy party).

Just about that time, exec 2, let's call him MB, who happens to have both
but who was using Android at that moment, chimed in that "I have absolutely
no people skills", to which I asked what he meant. He said "you're so smart
and yet you don't know how to get a message across", to which his friend
"AC" concurred.

MB openly volunteered to take me under his wing to "teach me people
skills", where I was so confused as to whether he was joking or being
serious that I looked over to AC and asked, "is he serious?".

AC pointed back to MB saying, "See! He can't read you even enough to tell
if you're being serious or if you're joking". MB insisted he was serious
(we are friends, after all), but he insisted at the same time that at a
party, it's not proper to insult the intelligence of people simply for
choosing to use the iPhone.

I _still_ don't know if he was serious or joking, but both "said" they were
serious. We moved on to other conversations shortly thereafter, so I didn't
get a chance (yet) to pump AC for details on the specific APIs that Apple
has which Android does not - but clearly AC took affront when I told him
how worthless iOS is compared to Android (although AC nodded in agreement
when I said there was plenty functionality on Android that isn't on iOS).

AC mainly took affront that I claimed there was 0 on iOS not already on
Android, while MB thought that I could use my obvious intelligence a bit
less brutally honestly up front. He said he'd love to coach me.

True story.

[arlen holder]

On Tue, 25 Dec 2018 16:11:59 -0500, JF Mezei wrote:

> The DNS protocol does not include encryption.

Hi JF Mezei,
Thanks for trying to help out, since you & I are nothing like nospam
We only care about the truth, and the facts.

Nothing nospam ever says can be believed, and, worse, nospam is such a
child that he only plays to one side of the story whereas I am quite
willing to see facts on both sides.

So if there _is_ a public API call in iOS that isn't on Android, I simply
want to know the facts, specifically, where can we find documentation on
this one API call.

BTW...
If this is the _only_ API call that iOS has over Android, then that's fine.
If there are more API calls that iOS has over Android, then that's fine.

The question is only one of facts.

> DNSsec is not encrypted, but responses from DNS servers are digitally
> signed, and DNS clients have the means to verify the signature.

Hmmmm.... I guess that's what AC meant when he had said that there was at
least one thing on iOS that isn't on Android already by way of app
functionality when I had claimed there was none.

I am not well versed in DNS security, as I've never delved into it before
except to check for DNS leaks during VPN sessions.

> Servers are more and more deploying DNSsec but in terms of computers
> (and phones), few implement it by default, but OS-X and I assume IOS
> allows apps to use it.

I have to agree with you since this executive of a startup, AC, is highly
technical (all startup execs tend to be highly technical).

This exec didn't refute that Android has plenty over iOS; he simply gave me
this one example of where iOS has something over Android (which did answer
my question, since I had asked him to "name one functionality that iOS has
that Android doesn't already have").

To be clear, it was a brief conversation at a party, where he instantly
named that one functionality, which served the purpose of the challenge,
but which I'm simply trying to find out more about here.

I'll see if I can find the name of this API by searching...

How do I make an IOS app *require* DNSSec?
<https://stackoverflow.com/questions/14041980/how-do-i-make-an-ios-app-require-dnssec>

Here is just one answer ... but it appears to be somewhat old...

DNSSEC is available on the OS level with iOS 10+ as part of the dnssd
Framework. You use it by using the kDNSServiceFlagsValidate flag when
querying the DNS using DNSServiceQueryRecord.

If you want to secure your TLS connection you have to implement the dns
query in URLSessions urlSession(_:didReceive:completionHandler:) method.

However, you should be aware that there are public dns servers out there
(like i.e. OpenDNS), that do not support DNSSEC.

[arlen holder]

On Wed, 26 Dec 2018 11:13:30 -0500, Alan Browne wrote:

> I didn't know groundskeepers, cafeteria staff, janitors and bus drivers
> were called execs. Is that a California thing? I have nothing against
> these fine workers, of course, but this title mania is out of control IMO.

I don't have to prove your mind of that of a child, Alan Browne.
You just proved it for me.

It's instructive to note how the classic Apologists innately behave:
o Both nospam & Alan Browne don't respond to the technical question
o Neither nospam nor Alan Browne _can_ respond to the technical question

Fact?

Simply prove me wrong, Alan Browne.
HINT: You can't ever respond to _any_ technical discussion, with facts.

[bannatyne]

On Wed, 26 Dec 2018 16:30:25 -0000 (UTC), arlen holder <ar...@arlen.com>
wrote:

>On Wed, 26 Dec 2018 11:08:05 -0500, nospam wrote:
>
>> at which point you told him that he had only a 5th grade education and
>> was playing childhood games, that he was lying and you were the only
>> one with the facts, and then went to socialize with the adults in the
>> room.
>
>Actually, since it was a party where there was a lot going on, we were
>conversing at the table where everyone was sampling the expensive wines
>near a Faberge egg display, where the following conversation, cross my
>heart, took place...

Well, since you crossed your heart, I guess the rest can be taken at
face value. Once a heart has been crossed, no untrue word can be spoken.

>We had conversed for only a few moments, where all these Silicon Valley
>execs are my neighbors so we know each other well in the non-professional
>environment (I take them on hikes, for example), when I saw exec 1 (let's
>call him "AC") pull out his iPhone for some reason - which is when I had
>asked him why on earth such a smart guy uses such a dumb phone.

I don't envy you and your Aspergers. You have no social skills
whatsoever. Don't like my observation? Read on for another opinion or
two.

>AC was the guy whose teams develop on both Android & iOS where he was the
>one to later told me that there are public APIs (yes, plural even) on iOS
>that are not on Android, such as the one to handled encrypted DNS (which is
>the only API I could get out of him at the rather busy party).
>
>Just about that time, exec 2, let's call him MB, who happens to have both
>but who was using Android at that moment, chimed in that "I have absolutely
>no people skills", to which I asked what he meant. He said "you're so smart
>and yet you don't know how to get a message across", to which his friend
>"AC" concurred.
>
>MB openly volunteered to take me under his wing to "teach me people
>skills", where I was so confused as to whether he was joking or being
>serious that I looked over to AC and asked, "is he serious?".

People with Aspergers have trouble with nuanced emotions such as sarcasm
versus sincerity. You should have just told them that you have AS. They
probably already guessed it, but confirmation might have helped them to
relate to you in a way that works better for you.

>AC pointed back to MB saying, "See! He can't read you even enough to tell
>if you're being serious or if you're joking". MB insisted he was serious
>(we are friends, after all), but he insisted at the same time that at a
>party, it's not proper to insult the intelligence of people simply for
>choosing to use the iPhone.
>
>I _still_ don't know if he was serious or joking, but both "said" they were
>serious. We moved on to other conversations shortly thereafter, so I didn't
>get a chance (yet) to pump AC for details on the specific APIs that Apple
>has which Android does not - but clearly AC took affront when I told him
>how worthless iOS is compared to Android (although AC nodded in agreement
>when I said there was plenty functionality on Android that isn't on iOS).
>
>AC mainly took affront that I claimed there was 0 on iOS not already on
>Android, while MB thought that I could use my obvious intelligence a bit
>less brutally honestly up front. He said he'd love to coach me.
>
>True story.

Even without the crossing of the heart, it rings true to me. You've
perfectly and accurately described the behavior of a person with AS. You
have my sympathies. Life is surely hard for you, especially when life
presents you with a social situation for which you are totally
unequipped and unprepared.

[arlen holder]

On Wed, 26 Dec 2018 12:43:28 -0600, bannatyne wrote:

> You should have just told them that you have AS.

On the topic of honesty...
I'm sure they're aware as I'm brutally honest as it's not hard to see.

I've never been professionally diagnosed (too old for that), but I'm sure
I'm an aspy, as are many in my rather large strict Roman Catholic family.

Having had huge influences of both being an RC & an aspy...
I have never understood why people, who aren't politicians or salesmen, lie.

Specifically, why people like nospam _always_ lie.
o People like nospam always claim YES is no, and that NO is yes.
o Why?

What benefit does it provide to have zero credibility like nospam has?
(He's almost always wrong - since he simply guesses at everything.)

While I realize facts don't fit into _any_ religious belief system,
people like nospam confuse me because facts don't fit into any of their
belief systems, even technical belief systems.

When people like nospam deny even that which Apple admits,
o I wonder if they're really that stupid, or,
o I wonder why they would flatly deny that which is obviously a fact.

You see my dilemma?
o If I assume nospam is stupid, then it all makes sense,
o But if I assume he's actually intelligent, then he's just a brazen liar.

On the topic of honesty...
o I can easily comprehend why idiots like Alan Browne are always wrong,
o But I can't fathom why intelligent people like nospam always lie.

What gain do people like nospam get by always denying known facts?
Specifically .... what makes them do that? (What makes them lie?)

[B...@onramp.net]

You stated that you have never been professionally diagnosed. You
aren't too old so why not have a psychiatrist tell you why you lie?

[arlen holder]

On Wed, 26 Dec 2018 18:19:23 -0600, B...@Onramp.net wrote:

> You stated that you have never been professionally diagnosed. You
> aren't too old so why not have a psychiatrist tell you why you lie?

I don't have to prove you can never add on-topic value, BK.
Because you prove that yourself.

*Nothing you write, BK, ever adds _any_ on-topic value to _any_ thread."

[sms]

On 12/26/2018 8:30 AM, arlen holder wrote:

<snip>

> pull out his iPhone for some reason - which is when I had
> asked him why on earth such a smart guy uses such a dumb phone.

The reason execs use iPhones are because of security and privacy, two
areas where Android is weaker than iOS (though security is improved with
Android 9). The cost difference of the hardware is of little concern.

Google's whole business model is based on a lack of privacy, and that
isn't going to change <https://www.youtube.com/watch?v=eFCSp23xl40>.

[arlen holder]

On Wed, 26 Dec 2018 23:22:44 -0800, sms wrote:

> The reason execs use iPhones are because of security and privacy, two
> areas where Android is weaker than iOS (though security is improved with
> Android 9). The cost difference of the hardware is of little concern.

I've been out of the business world for a while, but when I was in it, cost
was of zero concern (in those days, they paid for everything, so, they,
effectively, owned everything, even the service plan).

At that time, they would take the new phone from us, and "do something" to
it, and then give it back. Everything went through their VPN after that,
for example.

> Google's whole business model is based on a lack of privacy, and that
> isn't going to change <https://www.youtube.com/watch?v=eFCSp23xl40>.

Facts.
Privacy is a complex subject, as is security.

The problem in declaring that the "chain of communication" for Apple is,
somehow, different than that of Android, is problematic when you consider
that some of the components of that chain are EXACTLY the same for both.

What we have, in effect, is a chain containing strong links and then weaker
links and then even weaker links, some of which are as strong as fishing
line, while others are as weak as cotton sewing thread.

The MARKETING organization of the big company advertises like crazy those
strong links, but remains silent on the sewing thread holding them
together.

Having said that, I do agree with you that, essentially
o Google MARKETING says they want your data
o Apple MARKETGING says they don't want your data

However, you have to agree with me that, essentially
o If you want to customize the thing, Android is easier
o If you want to customize the thing, iOS is harder (IMHO).

I'm sure, to a professional organization, a "custom ROM" is not out of
their league, in which case, both "might" be easy though.

So I ask you _that_ question:
Q: How hard is it for a typical corporation to have a "custom ROM"?

[arlen holder]

UPDATE.
*Android does encrypted DNS as does iOS*

Earlier this week, I had sent another email to the Silicon Valley executive
who had told me that there was at least one public API on iOS that wasn't
on Android, which is significant since nobody on this newsgroup or on the4
Internet has _ever_ been able to find any functionality on iOS that isn't
ALREADY on Android (and worse, everyone on this newsgroup can list a score
of functionality on Android that is decidedly not on iOS such as something
as simple as graphing Wifi signal strength over time or automatic call
recording, or torrenting, or loading any desired app launcher, etc.).

This recent email was related to this Cloudflare encrypted DNS thread:
o Cloudflare releases Warp: Fixing Mobile Internet Performance and Security: free VPN privacy
<https://groups.google.com/forum/#!topic/comp.mobile.android/CjQIx8HYtHM>

Here is his answer:

"On Android (now for example in P and Q) there is a user configurable
setting for encrypted DNS (Settings > Networking > Advanced > Private DNS)
where the user enters 1dot1dot1dot1.cloudflare-dns.com.

On iOS, Cloudflare used a VPN that sets the DNS to 1.1.1.1. If you
install the iOS app. there is a big button to ´connect¡, and switching it
on will install a VPN Profile from Cloudflare."

I'm not sure if he's aware that the "big button" also exists on Android
based on my tests this week though.

iOS encrypted DNS, vs Android encrypted DNS:
o <https://i.postimg.cc/c1RMtnsc/encrypteddns01.jpg>