I emailed the dev and they responded by pointing me to this post and explaining that this was because of a design decision by Apple and not something they are able to fix. https://www.obdev.at/blog/three-way-handshake-bypassing-litt...

Perhaps just VPN + little snitch is your best bet if you're still worried

The blog post is mentioned in the first linked article. Needless to say I fundamentally disagree with Apple's decision* - If I explicitly install a firewall, I want it to actually function like a firewall and not let some packets through. The overhead explanation seems a bit like a stretch.

* It's actually not clear whether this is a feature or a bug. Apple never responded to the bug report (FB12088655).

Yeah it seems going to https://feedbackassistant.apple.com/feedback/12088655 the report doesn't even exist anymore.

Would be good to get an official answer from Apple if this is won't fix or coming as a fix in a future release.

> Yeah it seems going to https://feedbackassistant.apple.com/feedback/12088655 the report doesn't even exist anymore.

That link is for Apple engineers. Feedback reports are not public. They're only accessible by the reporter and Apple.

Yep. It's not/wasn't a VPN or DNS proxy but more of an host-side application firewall specifically to control apps' use of outbound connections. If you need pristine infosec, then you need something else and probably public WiFi too.

I used to use LuLu and Little Snitch but LuLu nondeterministically dropped packets and connections causing ssh to drop and navigation problems in the browser, so I had to remove LuLu.

Is this solved by the new set of dns encryption features?

I wouldn't think so, as the issue mentioned doesn't have anything to do with dns.