DGA-like outbound calls from iOS feature “VPN On Demand”
As part of Apple’s implementation of “VPN On Demand”, an iOS service called “nesessionmanager” performs DNS redirect tests. This test is performed in the function “NESMSession startDNSRedirectionDetection” and is implemented by generating a random domain address and initiating a DNS request to resolve it. Part of the random domain name generation code is shown here and the expected result of this process is a NXDOMAIN response:
From the network logs of a single iOS device connected to wifi over a few hours, we see:
An attacker in a privileged network position may be able to leak sensitive user information.
- Reported to Apple Product Security in early 2020
- Assigned CVE in May 2022