Encrypted DNS profiles for Apple Devices

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

dave14305

Part of the Furniture
I discovered this site below via privacytools.io and it has downloadable DNS profiles for most of the major encrypted DNS providers, using the newest Apple native Encrypted DNS functions. So the way it works is you download the profile of the service you want to use to your device and install it as a Profile in iOS/iPadOS, etc. and it will force the use of this resolver at the OS level. Similar to the 1.1.1.1 App for iOS that used to simulate a VPN to achieve the same thing. Quad9 only has an Android app, so you can now roll your own.

The downside is that these profiles are written for DNS-over-HTTPS, which is a turnoff for some (compared to DNS-over-TLS). I actually have a DoT profile I made for Quad9 (9.9.9.11) that only turns on when my iPhone is off my home WiFi. It's posted below in the Spoiler as an example.
Alternative gitlab link if the above seems suspicious:
XML:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>PayloadDisplayName</key>
    <string>Quad9-ECS DNS over TLS</string>
        <key>PayloadOrganization</key>
        <string>encrypted-dns.party</string>
    <key>PayloadDescription</key>
    <string>This profile enables Quad9 with extended client subnet DNS over TLS on all networks using the iOS 14 / iPadOS 14 / tvOS 14 / macOS Big Sur Encrypted DNS feature.

Downloaded from encrypted-dns.party.</string>
        <key>ConsentText</key>
        <dict>
            <key>default</key>
            <string>Privacy policy:
https://quad9.net/policy</string>
        </dict>
    <key>PayloadIdentifier</key>
    <string>com.apple.dnsSettings.managed.88ced91f-3a79-4ffa-8692-0df6a4f967dd</string>
    <key>PayloadScope</key>
    <string>User</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>A1E2F262-DB73-40F6-BD22-2E42A43A3C94</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
    <key>PayloadContent</key>
    <array>
      <dict>
        <key>DNSSettings</key>
        <dict>
          <key>DNSProtocol</key>
          <string>TLS</string>
          <key>ServerAddresses</key>
          <array>
            <string>9.9.9.11</string>
            <string>2620:fe::11</string>
            <string>149.112.112.11</string>
            <string>2620:fe::fe:11</string>
          </array>
          <key>ServerName</key>
          <string>dns.quad9.net</string>
        </dict>
        <key>OnDemandRules</key>
        <array>
          <dict>
            <key>Action</key>
            <string>Disconnect</string>
            <key>SSIDMatch</key>
            <array>
              <string>MyWiFiSSID1</string>
              <string>MyWiFiSSID2</string>
            </array>
          </dict>
          <dict>
            <key>Action</key>
            <string>Connect</string>
          </dict>
        </array>
        <key>PayloadType</key>
        <string>com.apple.dnsSettings.managed</string>
        <key>PayloadIdentifier</key>
        <string>com.apple.dnsSettings.managed.1824a829-94b9-4308-b603-d0849c532944</string>
        <key>PayloadUUID</key>
        <string>A1E2F262-DB73-40F6-BD22-2E42A43A3C94.3C8F875F-45B8-4ACF-9F84-244D3D6DF258.d84df4</string>
        <key>PayloadDisplayName</key>
        <string>Quad9 ECS DNS over TLS</string>
        <key>PayloadVersion</key>
        <integer>1</integer>
      </dict>
    </array>
  </dict>
</plist>
 
Last edited:

sfx2000

Part of the Furniture
They can use this as a consolidated list of names and IPs to ban at the firewall.

You're missing my point - installing a cert from an untrusted third party is really, really, bad stuff...

I didn't really appreciate Cloudflare's 1.1.1.1 App either - because of the same thing - we do have some policy controls on devices (aka, no porn sites when logged in to our WLAN, etc...)
 

dave14305

Part of the Furniture
You're missing my point - installing a cert from an untrusted third party is really, really, bad stuff...

I didn't really appreciate Cloudflare's 1.1.1.1 App either - because of the same thing - we do have some policy controls on devices (aka, no porn sites when logged in to our WLAN, etc...)
There are no certs in these files. It's DNS configuration only using Apple's specification. It just uses the same "profile" framework that trusted certs also use. But I agree you don't want to click on it without understanding what it is and how to undo it.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top