Is it normal for ns.sipgeo.t-mobile.com to bypass DNS and VPN settings on iOS, iPadOS, and macOS? [closed]
I’ve been using NextDNS to monitor DNS lookups on my devices in an effort to figure out how they’re being remotely controlled and I notice that ns.sipgeo.t-mobile.com is simply able to bypass both DNS and VPN settings on my iOS, iPadOS, and macOS devices.
Instead of using the DNS resolver app (i.e., the NextDNS app), (NextDNS) configuration profile, or DNS resolution information provided by the active VPN (e.g., in the hide.me VPN app) lookups for this URL simply bypasses all of them together and uses the DNS information for the connection.
That information can be controlled on a wi-fi network connection, but on a connection emanating from an eSIM/SIM card where the DNS information is always provided by the telecom provider, that means connections to ns.sipgeo.t-mobile.com are essentially invisible and therefore unblockable when a SIM card is in a device.
Is this insecure bypass behavior normal and, if it is, why?
On macOS, connections to this URL appear to emanate from the /System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter app and inexplicably continue trying to establish an ISAKMP connection on UDP port 500 even after I’ve signed out of iMessage and rebooted the machine. The same process makes TCP port 443 connections to eas3.msg.t-mobile.com.
I’ve noticed a similar phenomenon on Android with Google Fi where connections are instead made to nwp.t-mobile.com and vaspbon-int.msg.t-mobile.com in a way that doesn’t appear in my Android firewall logs.
Why do I suspect that this is related to malware?
Signing out of my Apple ID account seems to affect the ability of my devices to be controlled, except my iPhone 14 Pro, which has an eSIM that I can’t easily remove and re-add. Removing the SIM cards from my iPhone 13 and iPad Pro seemed/seems to prevent them from controlling the devices. My iMac has no SIM capability, but can nonetheless be controlled when signed into my Apple ID account. Blocking Apple domains seems to sometimes work and not work in blocking the malware, which would make sense if the problem is not the Apple domains themselves, but that they’re propagating the T-Mobile information from my phone to my other Apple devices which is then retained after the domains have been unblocked and reblocked, making the blocking ineffective.
Google Fi likewise uses the T-Mobile network.
I also ran into a case where a previous Android phone could seemingly be controlled with an inactive Tello SIM card. Tello utilizes the T-Mobile network. (On Android, they’ve done things like make the wi-fi indicator invisible even when connected to wi-fi, so it’s possible there was other means.)
They can also control my Apple Watch when the eSIM card is enabled, but I haven’t spent much time testing the security of that device.
