Encrypted DNS profiles for Apple Devices

[dave14305]

I discovered this site below via privacytools.io and it has downloadable DNS profiles for most of the major encrypted DNS providers, using the newest Apple native Encrypted DNS functions. So the way it works is you download the profile of the service you want to use to your device and install it as a Profile in iOS/iPadOS, etc. and it will force the use of this resolver at the OS level. Similar to the 1.1.1.1 App for iOS that used to simulate a VPN to achieve the same thing. Quad9 only has an Android app, so you can now roll your own.

The downside is that these profiles are written for DNS-over-HTTPS, which is a turnoff for some (compared to DNS-over-TLS). I actually have a DoT profile I made for Quad9 (9.9.9.11) that only turns on when my iPhone is off my home WiFi. It's posted below in the Spoiler as an example.

Encrypted DNS Party

Encrypted DNS Configuration Profiles for Apple Devices

encrypted-dns.party

Alternative gitlab link if the above seems suspicious:

nitrohorse / encrypted-dns-configs · GitLab

Encrypted DNS configuration profiles for Apple devices. https://encrypted-dns.party

gitlab.com

Spoiler: Quad9 DoT Example

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>PayloadDisplayName</key>
    <string>Quad9-ECS DNS over TLS</string>
        <key>PayloadOrganization</key>
        <string>encrypted-dns.party</string>
    <key>PayloadDescription</key>
    <string>This profile enables Quad9 with extended client subnet DNS over TLS on all networks using the iOS 14 / iPadOS 14 / tvOS 14 / macOS Big Sur Encrypted DNS feature.

Downloaded from encrypted-dns.party.</string>
        <key>ConsentText</key>
        <dict>
            <key>default</key>
            <string>Privacy policy:
https://quad9.net/policy</string>
        </dict>
    <key>PayloadIdentifier</key>
    <string>com.apple.dnsSettings.managed.88ced91f-3a79-4ffa-8692-0df6a4f967dd</string>
    <key>PayloadScope</key>
    <string>User</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>A1E2F262-DB73-40F6-BD22-2E42A43A3C94</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>DNSSettings</key>
        <dict>
          <key>DNSProtocol</key>
          <string>TLS</string>
          <key>ServerAddresses</key>
          <array>
            <string>9.9.9.11</string>
            <string>2620:fe::11</string>
            <string>149.112.112.11</string>
            <string>2620:fe::fe:11</string>
          </array>
          <key>ServerName</key>
          <string>dns.quad9.net</string>
        </dict>
        <key>OnDemandRules</key>
        <array>
          <dict>
            <key>Action</key>
            <string>Disconnect</string>
            <key>SSIDMatch</key>
            <array>
              <string>MyWiFiSSID1</string>
              <string>MyWiFiSSID2</string>
            </array>
          </dict>
          <dict>
            <key>Action</key>
            <string>Connect</string>
          </dict>
        </array>
        <key>PayloadType</key>
        <string>com.apple.dnsSettings.managed</string>
        <key>PayloadIdentifier</key>
        <string>com.apple.dnsSettings.managed.1824a829-94b9-4308-b603-d0849c532944</string>
        <key>PayloadUUID</key>
        <string>A1E2F262-DB73-40F6-BD22-2E42A43A3C94.3C8F875F-45B8-4ACF-9F84-244D3D6DF258.d84df4</string>
        <key>PayloadDisplayName</key>
        <string>Quad9 ECS DNS over TLS</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
      </dict>
    </array>
  </dict>
</plist>

 

[sfx2000]

Oh boy... network admins are not going to like this one...

 

[dave14305]

Oh boy... network admins are not going to like this one...

They can use this as a consolidated list of names and IPs to ban at the firewall.

 

[sfx2000]

They can use this as a consolidated list of names and IPs to ban at the firewall.

You're missing my point - installing a cert from an untrusted third party is really, really, bad stuff...

I didn't really appreciate Cloudflare's 1.1.1.1 App either - because of the same thing - we do have some policy controls on devices (aka, no porn sites when logged in to our WLAN, etc...)

 

[dave14305]

You're missing my point - installing a cert from an untrusted third party is really, really, bad stuff...

I didn't really appreciate Cloudflare's 1.1.1.1 App either - because of the same thing - we do have some policy controls on devices (aka, no porn sites when logged in to our WLAN, etc...)

There are no certs in these files. It's DNS configuration only using Apple's specification. It just uses the same "profile" framework that trusted certs also use. But I agree you don't want to click on it without understanding what it is and how to undo it.

 

[XIII]

NextDNS users can use the service’s own generator, so they don’t have to trust an extra party:

Set up NextDNS natively on Apple devices — NextDNS

Generate a configuration profile (.mobileconfig) that will make your device use NextDNS natively using the Encrypted DNS feature.

apple.nextdns.io