Why DNSSEC Falls Short for Mobile Apps and How HTTPDNS Wins

Background

As network environments become increasingly complex, providing secure, stable, and efficient HTTP services for apps is critical. This article analyzes Apple’s 2022 WWDC presentation on DNSSEC and compares it with the HTTPDNS solution used by NetEase Cloud Music.

What is DNS

The Domain Name System translates human‑readable domain names into IP addresses. It consists of a distributed four‑tier hierarchy: local DNS (provided by ISPs), root name servers, top‑level domain (TLD) servers, and authoritative name servers.

DNS Workflow Example

Client checks its DNS cache; if missing, it sends a query to the local DNS.

Local DNS checks its cache; if absent, it queries a root name server for the .com TLD server address.

The root server returns the .com TLD server address.

The TLD server returns the authoritative server address for interface.music.163.com.

The authoritative server provides the final IP address, which is cached locally and returned to the client.

DNS Characteristics

Advantages : widely supported, fast.

Disadvantages : vulnerable to man‑in‑the‑middle attacks such as DNS spoofing and hijacking; complex hierarchy introduces many points of failure.

To mitigate DNS insecurity, the industry adopts extensions like DNSSEC and HTTPDNS.

DNSSEC

DNSSEC adds cryptographic signatures to DNS records, enabling clients to verify the authenticity of responses and protect users from forged DNS data.

DNSSEC Workflow

Clients request a domain (e.g., www.example.org) and receive the IP address, signature, and DNSSEC key. They then recursively validate a chain of trust from the root zone down to the authoritative zone.

DNSSEC Characteristics

Advantages : provides cryptographic validation for DNS data.

Disadvantages : requires router and server support for larger DNS packets (>512 bytes); many Chinese ISPs drop oversized packets; deployment often incurs costs; limited cloud provider support; not universally compatible with iOS 16+ and macOS Ventura.

Should We Choose DNSSEC?

Because DNSSEC introduces many uncontrollable factors and limited extensibility for our app, we opted for a more controllable solution—HTTPDNS.

HTTPDNS

HTTPDNS resolves domain names over HTTPS, returning IP addresses that the client substitutes into the request host and sets via SNI, achieving the same effect as traditional DNS while allowing tighter control.

HTTPDNS Workflow

Client queries its own HTTPDNS server for an IP.

Client sends the request with the host replaced by the obtained IP.

Client sets SNI to preserve the original host name.

HTTPDNS Characteristics

Advantages : highly customizable (uses own server), secure (HTTPS).

Disadvantages : higher latency compared to local DNS, requires manual host replacement, involves security risk because iOS needs a private API to set SNI, which may be blocked.

IP Scoring (IP跑马)

HTTPDNS returns an array of IPs; a scoring system selects the best IP for each request.

Scoring Rules

Each request receives a score based on success or error. Errors are classified into five levels with different penalty points.

typedef NS_ENUM(NSInteger, NENetErrorLevel) {
    NENetErrorLevelNone,        // No error, no penalty
    NENetErrorLevelDefault,      // Default, -1 point
    NENetErrorLevelisCancel,    // Cancel, no penalty
    NENetErrorLevelNormal,      // Normal, -10 points
    NENetErrorLevelSerious,     // Serious, -20 points
};

- (NENetErrorLevel)errorLevelForError:(NSError *)error {
    // Map NSURLSession errors to the enum above
    ...
    return errorLevel;
}

Successful requests are scored based on response time and data size. Requests faster than 2.5 s may earn points; those slower than 4.5 s start losing points.

// Calculate success mark
- (double)calcllateSuccessMarkWithDataLength:(NSUInteger)dataLength cost:(NSTimeInterval)cost {
    if (cost == 0) return 0;
    double mark;
    long delta = 0;
    if (cost <= CALL_TIME_GOOD_BENCH_MARK) {
        delta = CALL_TIME_GOOD_BENCH_MARK - cost; // good range
    } else if (cost > CALL_TIME_BAD_BENCH_MARK) {
        delta = CALL_TIME_BAD_BENCH_MARK - cost; // bad range
    }
    mark = MAX(delta, -5);
    if (dataLength > 0 && mark > 0) {
        double speed = dataLength / (cost + 0.0f);
        if (speed < CALL_SPEED_GOOD_BENCH_MARK) {
            mark = speed / CALL_SPEED_GOOD_BENCH_MARK * mark;
        }
    }
    return mark;
}

The total IP score can be calculated using two strategies: cumulative scoring (sum of all request scores in the current network) and instantaneous scoring (score of the current request only).

IP Selection

When sending a request, the client picks the IP with the highest score from the returned IP set.

Overall Process Diagram

Conclusion and Outlook

Network security is essential, and major vendors are continuously improving DNS‑related technologies. We hope Apple will expose more flexible DNS APIs for developers. Our ongoing adoption of Cronet will be documented in future posts, covering its benefits and pitfalls.