The script published for adding OpenDNS servers to iOS 14.x devices only supports the OpenDNS Home servers. For OpenDNS Family Shield users the following OpenDNS IP addresses must be configured on the iOS 14.x devices.

Please visit https://en.wikipedia.org/wiki/OpenDNS or https://support.opendns.com/hc/en-us/articles/227988127-Getting-started-About-using-OpenDNS for more information.

Hi!

Really appreciate the work here; encrypted DNS is awesome. FYI if you want to use any profiles I already created over at https://encrypted-dns.party / https://gitlab.com/nitrohorse/ios14-encrypted-dns-mobileconfigs, please feel free.

encrypted-dns

My home WIFI have a ad-blocked DNS powered by pi-hole. But this profile force the DNS all the time. Is it possible to make it exclude certain SSID, to use the DNS from DHCP. And use the profile setting for those WIFI not on the list and cellular.
https://emm.how/t/ios-14-changes-in-configuration-profiles/1285
https://thomas-witt.com/auto-connect-your-ios-device-to-a-vpn-when-joining-an-unknown-wifi-d1df8100c4ba
OnDemand key seems do something similar, but how to combine with the DNS profile?

DoH: https://doh.pub/dns-query
DoT: dns.pub

error message sorry

Hello,
First of all thanks for your contribution.

I installed the profile. Is there a way to check if DNS encryption is working? I am asking that also because I have noticed a warning next to the WiFi network name:

this network is blocking DNS encrypted traffic

Thanks for helping,
Dan

Hi,
any idea if this could work in iPadOS, and not just iOS?
There is no Profile section under Settings/General in iPadOS 14.3
thanks

Hello, this request might be slightly offtopic, but I am pulling out my hair with iOS 14 encrypted DNS and maybe someone her ecan help me. So the question is if it is possible to extend your profiles with a second, local and most importantly NON ENCRYPTED DNS server? Problem is that iOS 14 seems to totally ignore such unencrypted servers if there an encrypted one (here: Cloudflare) is available. So the idea is to construct a mobileconfig which instructs iOS to use this second DNS as well, but only for certain domains. Is this possible at all?

In blog post Firefox is mentioned but not Chrome.

It might then come as a surprise to some users that Chrome will exempt itself from global settings on macOS (of course) and will use its own DNS-over-https. If someone would like to setup DoH on Chrome this is how to do it:

Go to Settings-> Privacy and Security --> Security and scroll down to Use Secure DNS. Check this option and select predefined server (Google, Cloudflare) or use your own.

Chrome 87 on Big Sur 11.0.1

Thanks for making these

Can you add profiles for the Cleanbrowsing servers?
https://cleanbrowsing.org/filters/

I was going to make a PR, but I see the mobileconfig files have some fields like UUIDs in them.
Do you have a script or something you use to generate profiles ?

Thanks,

Hello,

Is it possible to mix DNS configurations in one single mobileconfig ?

For example, can I define a Cloudflare + Quad9 DoH for redundancy purposes ?

Thanks.

Seems like a bug

I create this issue to correct Quad9 (now in Swiss) and add ECS version
Pull Request come in 5 minutes.

iOS 14.3 on iPhone 8
When I installed a new DoH config the existed one disappeared. I want to know whether the system support only ONE DoH setting? Thank you.

Please add AdGaurd and AdGuard Family DNS-over-TLS profiles: https://kb.adguard.com/en/dns/setup-guide

Please add Yandex DNS: https://kb.adguard.com/en/general/dns-providers#yandex-dns

After connecting to VPN then disconnect, DNS profile will not work until system restart. This happens in both Mac & iOS.

Is there a way for the https over dns to bypass certain links? Seems the certain captive.apple.com hotpot login pages do not load when dns over https is active. However - once logged in - I found that I can reactivate https over dns and continue browsing over the hotspot. Just can’t use to connect on the hotspot landing page.

The signed ones are signed by Andrew Glaze; who is that?

Hello author, I would like to ask how to get the signature, I also want to get DNS, purr purr.

In readme.md, the link to AdGuard No Filter TLS actually points to adguard-nofilter-https.mobileconfig, but it should point to adguard-nofilter-tls.mobileconfig

This is my first time trying to download something from GitHub on iOS so maybe I'm just missing something easy. I tried to follow the instructions but didn't see any "raw" button to download. I will attach a video screenshare to show what I did...https://user-images.githubusercontent.com/13949350/124803075-44ba3900-df1e-11eb-9157-246a92bcc7fc.MOV

I used your main config for Cloudflare

and I tried to change the IP's for Cloudflare team instead of Cloudflare public IPs.
I installed the profile on iOS 14.5, query are resolved but somehow not filtered

(I have a block list on Cloudflare for team and I can access blocked domain)

im not sure what Im missing

Hi,
would be nice to have DoH config files for Anycast and Unicast servers provided by UncensoredDNS. There are also specific DoT servers too.

https://blog.uncensoreddns.org/dns-servers/

Because their profiles suck, don’t even import and don’t have support for DOH/DOT.

Thankfully macOS can just add the VPN profile from the macOS app and connect from Network setting without the app after but I don’t think iOS is as lucky.

Plus would be cool if I could edit the profile myself and choose preferred DNS server since their 2nd backup one is usually like 2x as fast or more — though I don’t know if that would work with their custom ID DNS profile for dashboard/filters and whatnot.

This line:

https://github.com/paulmillr/encrypted-dns/blob/master/cloudflare-https.mobileconfig#L23

... should probably say Configures device to use Cloudflare Encrypted DNS over HTTPS, not TLS.

Unfortunately I need to create a profile for an Inhouse (non-public) DoH proxy. Creating the profile was quite easy by modifying the google profile provided here, but I stuck at the point that I need to run the DoH proxyy on another port than 443.
Can I define the port somewhere in profile?

With Encrypted DNS, the middlemen will only see 91.198.174.192 — which is an IP of wikipedia.org. Hold on, there’s a nice detail. Ipinfo.org tells us there are at least 19 domain names associated with this IP! In fact, you could be visiting invoker.com — which has the same IP today. The ISP would not know the difference.

The ISP will be able to (with a bit more difficulty) see the TLS ALPN SNI hostname sent plaintext, which all major browsers and some clients will send, however it is still correct the DNS itself would not be susceptible.

the tls profile working perfect

the doh is not !

iphone x 14.3

Please add AdGuard DNS Non-filtering: https://kb.adguard.com/en/general/dns-providers#non-filtering

The IP addresses in canadianshield-protected-https.mobileconfig currently end in 10 when they should all end in 20 per the instructions on the Canadian Shield website.

I checked all the other mobileconfig files for Canadian Shield, and they have the right IP addresses.

Thanks for posting these mobileconfig files for us Canadians!

https://developer.apple.com/documentation/devicemanagement/dnssettings/dnssettings

If no ServerAddresses are provided, the hostname will be used to determine the server addresses. This key must be present only if the DNSProtocol is TLS.

The ServerName string used is cloudflare-dns.com which is in the X509v3 Subject Alternative Name of the certificate, but resolves to web servers for Cloudflare's DNS. The ServerName should probably be one.one.one.one which resolves to the actual DNS servers.

We're having reports that opendns doesn't work while cloudflare does.

All IP addresses and URL query match the official docs. Not sure how to debug this

https://support.opendns.com/hc/en-us/articles/360038086532-Using-DNS-over-HTTPS-DoH-with-OpenDNS

After removing the description file, there is still a dns over https item in the network settings

When this profile is enabled on my mac, this configuration file in /etc/resolver/docker is not working:

#/etc/resolver/docker

nameserver 127.0.0.1
port 19322 

Are there any change can I make in the profile to make it works?

In Mac, Safari uses the encrypted dns, all other apps like terminal and App Store use the unencrypted dns server from network settings.
Could you please create a profile that uses system-wide encrypted dns?

severaddress is wrong

hi,
I saw that the readme file don't have DNSPod's Public DNS website address, there is https://dns.pub
and we do also have DoT service, url is dot.pub
thanks

Primary DNS: 1.1.1.2
Secondary DNS: 1.0.0.2
https://security.cloudflare-dns.com/dns-query

Hello @paulmillr
It can be interesting to add a warning, that iCloud private relay redirect DNS query AND only DNS query of Safari (for now).

So for those who use it they must continue to install profile for DNS query of other APP and Warning them if they use it with profile of DNS who do Adblock the Adblock capability will not work on safari.

Hello,
can you please advise what does censorship imply? This is not clear to me.
Thanks,
Dan

First of all, thank you very much for the description file. It is recommended to add Tencent DOH and DOT. The DOH address is https://doh.pub/dns-query, and the DOT address is dns.pub or doh.pub