Hi there, I made an account today just so I could be helpful to anyone who’s wondering why there’s open resolvers running on Apple TVs & HomePods (yes, they’re on HomePods too) as I stumbled upon this myself since I just bought new Apple gear recently, and having a cybersecurity background, this definitely concerned me & so I started digging.
The good news is that it’s a feature, not a bug. What you’re seeing here is that Apple is finally experimenting with zeroconf networking again after it stalled in recent years. Probably as a result of them working on the new smart home industry standard, Matter. I’ll explain further.
Sadly there’s not a whole lot of documentation on this yet, at least not for those inexperienced with networking technologies & DNS server administration. As such, the following is nothing but speculation & educated guesses on my part, so I could be completely wrong & probably at least will be on a few things. The closest you’ll get to official documentation are the possibly relevant IETF standards, and Apple’s
official GitHub repo of mDNSResponder, (especially in the
Documents folder).
To begin, what I suspect these open DNS resolvers are is likely Apple’s reference implementation of their fairly recent IETF standard,
RFC 8766. To put it simply, it’s probably a unicast to multicast DNS proxy. It’s also more than that, it’s a stub resolver like dnsmasq and an authoritative DNS server wide area Bonjour/DNS-SD. That’s the simplest explanation I can give. Read that RFC for more specifics.
The reason this would be useful for home users is that devices can do DNS based discovery via unicast DNS rather than multicast DNS, which is inefficient, especially on WiFi. It’s multicast traffic so it gets broadcast throughout the whole network, rather than just to one device (with some exceptions like IGMP/MLD snooping, but I don’t want to open that can of worms). However, it seems that unless you have a SOHO router that will automatically add the correct local DNS delegations pointing to your Apple TVs and HomePods as authoritative for the relevant zones specified in RFC 8766, it’s likely not configured correctly. You’ll probably have to manually do it. Which I’m working on figuring out all through trial & error in my network haha.
All in all,
there’s a lot of cool stuff that Apple is working on as we speak in regards to DNS standards, and they’re collaborating with Cloudflare on a lot of this. One of those standards is currently in draft status,
Discovery of Designated Resolvers (
IETF Draft Standard /
Cloudflare blog). It’s basically standardized auto-upgrade encrypted DNS, and all of Apple’s devices on the latest OS version supports it, including Ventura & iOS 16, tvOS 16, audioOS 16, etc.
The one that I’m most excited to see in action is the new
Service Registration Protocol that Apple currently has as a draft standard at the IETF also, but I digress.
Hopefully all of this helps someone out there relax a bit, you likely didn’t get owned by a hacker. 😂
