[Melatonic]

Are you sure whatever you have configured in the MDM profile or one of these apps like Charles Proxy is not the source of the traffic?

Are you using a simple config profile on iOS to redirect DNS and if so how are you generating it ? Full MDM or what are you adding to the profile ?

[walterbell]

Traffic was monitored on a physical ethernet cable via USB ethernet adapter to iOS device.

Charles Proxy was only used to time-associate manual application launch with attempts to reach destination hostnames and ports, to allowlist those on the separate physical router. If there was an open question about an app being a potential source of unexpected packets, the app was offloaded (data stayed on device, but app cannot be started).

MDM was not used to redirect DNS, only toggling features off in Apple Configurator.

[universenz]

Surely you used several USB Ethernet adapters to rule them out as being the source as well right? Those types of dongles are well known for calling home.

[walterbell]

Good observation :) Multiple ethernet adapters: Apple original (ancient USB2 10/100), Tier 1 PC OEM, plus a few random ones. Some USB adapters emit more RF than others.

[Melatonic]

And your sure it wasn't some built in Apple service ? I believe they host a ton on GCP

[walterbell]

It excluded the published hostnames for services and CDNs (some of which resolved to GCP, Akamai, etc) published by Apple for sysadmins of enterprise networks, https://news.ycombinator.com/item?id=46994394. It's indeed possible that one of the unknown destination IPs could have been an undocumented Apple service, but some (e.g. OVH) seem unlikely.