I take advantage of Mac OS Sequoia 15.0.1 and I am making an attempt to seize DNS visitors utilizing wireshark or tcpdump, however I am unable to see any in anyway and I do not perceive what Mac does in another way right here and why I can observe this visitors.
Initially I believed that the browsers used DoH or some type of proxy even after ensuring they’re disabled (Firefox/Chrome), however then I realised that pinging a website additionally would not lead to any visitors being captured.
I’ve additionally examined this on an older Mac OS (13.6.9) and it appears to be behaving identically.
sudo tcpdump -i any -n port 53 -nnp
ping aol.com
If I attempt utilizing dig or nslookup, it really works as anticipated. So it is clear to me that the browsers and ping use a special DNS path.
Any concepts why this occurs and the way the DNS requests are being despatched?
What I additionally did was to ensure that “Personal Wi-Fi Deal with” within the Wi-Fi part was turned off. In some unspecified time in the future whereas doing this I additionally got here throughout a request to “aol.com” within the packet seize, however I am unable to inform for certain what occurred and it is fairly laborious to breed.
After I flip the Wi-Fi adapter on and off fully, rapidly I see all these DNS requests which correspond to my open browser tabs. So in that middleman section it appears to work as anticipated (i.e. I see the DNS visitors).
It is likely to be the case that Apple really merely ignores the consumer and does what it desires and nonetheless sends DNS requests over HTTPS to their server, however solely when it makes certain that the DNS server is reachable (or one thing like that), however I am unable to be 100% certain of that.
[Later edit]
I’ve realised that after I set IPv6 to Hyperlink-Native Solely, all of a suddent I can see all of the DNS visitors.
This additionally applies when Mac OS typically decides to show off IPv6 fully when reconnecting/waking the laptop computer from sleeping, and I can see that it is set to “off” within the Wi-Fi Community settings (an choice I usually haven’t got entry to on the interface).
