iOS allows DNS request to escape the VPN tunnel (opens in new tab)

So many times law enforcement take advantage of this too, to fingerprint devices. The number of people caught because someone leaks packets outside the VPN for a few seconds because they forgot to configure VPN to disable outbound data if VPN drops... I've long wondered if making always on VPN require MDM provisioning on iPhones was a sop to police/criminal investigation forces, especially after Apple's public fights with the FBI over matters like the locked San Bernadino phone etc. I bet very few crims installing VPNs are aware of that apple support doc.

If this was working as it arguably should and could be done easily without MDM provisioning, it would remove a genuinely useful avenue for law enforcement and add more fuel to the the FBI's dislike for Apple's security features.

I wonder if there's a small bit of pressure on the device manufacturers to keep DNS leaks happening for consumers. I'd love to be a fly on the wall at some of the NatSec-level conversations.

Should it be expected that individual users should be familiar with corporate deployment documentation just to know that their VPN app they bought actually leaks?

I assume this is because an evil VPN app could refuse to allow the phone to connect to apple for updates.

That would then mean the app maker can effectively steal control of the phone from Apple.

I'm not following. Your link appears to be specific to corporate environments. The title of the document is:

"VPN overview for Apple device deployment."

It further states "Secure access to private corporate networks is available in iOS ..."

An individual iPhone user who is not using a company issued device would not be beholden to MDM restrictions or profiles. Nor would access to "private corporate networks" be necessarily relevant.

Wallet at least has a semi-plausible non-evil answer: Users who kick their VPN on to another country and try to use apple pay at checkout will unexpectedly get declined (because the purchase would appear to be coming from another country perhaps?).

Apple could fix that with proper UI though.

Android only leaks connection checks.

While on IOS any system app doesn't use the VPN or DNS requests.

VPNs are useless on iOS, and its made to be this way, again the "privacy OS" isn't privacy focused at all.

https://www.michaelhorowitz.com/VPNs.on.iOS.are.scam.php

can you not sniff it with services like nextdns?

This doesn't stop apps using things like DNS over HTTPS etc. PiHole works pretty great today, but developers are getting sneakier and sneakier about how to obtain outbound DNS. It's not just unencrypted port 53 all the time anymore. Eventually devices will get the IP for the DNS record they want just fine, if they really want to.

PiHole arguably is getting less effective with each passing year as alternate DNS resolution methods like DNS over HTTPS etc gain traction, and defeating DNS over HTTPS is s a whack-a-mole game today, all you can really do is try to blacklist known DNS over HTTPS server IPs, which is a running battle.

My assumption is all ad driven applications who depend on resolving advert domains correctly to serve the ad content will one day all utilise methods like DNS over HTTPS to stop products like PiHole reducing revenue.

SSHing to another machine isn’t a solution, you’re just using a different machine.

The way to solve it and still continue to use iOS is to implement your VPN at the network layer. e.g. use one of those wifi routers with a VPN client built in.

That’s because Google doesn’t market “Privacy” as their USP with giant billboards maybe?

Only connection checks.

Completely different situation. The iPhone falls back to mobile data if it can't get to the internet over WiFi.

I can't even imagine the uproar that would be a thread about Google doing this!