ios - iOS 14、mobileconfig、DNS over HTTPS,支持 DNSDomainMatch 白名单
问题描述
我在 https 服务器上运行我自己的 dns。我希望大多数 DNS 请求都通过它,但是来自“apple.com”、“icloud.com”域/子域的任何请求都可以绕过我的 DOH 服务器并使用手机的默认 DNS。
我创建了一个 .mobileconfig 配置文件,如下所示(我替换了 doh 服务器 url 和探测 url):
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Name</key>
<string>DOH</string>
<key>PayloadDescription</key>
<string>DOH</string>
<key>PayloadDisplayName</key>
<string>DNS over HTTPS</string>
<key>PayloadIdentifier</key>
<string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D2B5ADCD1EE</string>
<key>PayloadType</key>
<string>com.apple.dnsSettings.managed</string>
<key>PayloadUUID</key>
<string>8E3D6F57-0EB4-4C89-A068-2D6EF5FAC976</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>DNSSettings</key>
<dict>
<key>DNSProtocol</key>
<string>HTTPS</string>
<key>ServerURL</key>
<string>https://dns.google/dns-query</string>
<key>ServerName</key>
<string>doh-test</string>
</dict>
<key>OnDemandRules</key>
<array>
<dict>
<key>Action</key>
<string>Disconnect</string>
<key>DNSDomainMatch</key>
<array>
<string>*.apple.com</string>
<string>*.icloud.com</string>
</array>
</dict>
<dict>
<key>Action</key>
<string>Connect</string>
<key>URLStringProbe</key>
<string>https://google.com</string>
</dict>
<dict>
<key>Action</key>
<string>Disconnect</string>
</dict>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>DNS over Https</string>
<key>PayloadDisplayName</key>
<string>DNS over HTTPs</string>
<key>PayloadIdentifier</key>
<string>com.cam.me.8A4244E4-7802-46D9-9BA9-06EA71975740</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>2066753F-6CD2-43CE-AA24-C26C4F656B71</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
然而,我的 DOH 服务器日志仍然显示来自 *.apple.com 和 *.icloud.com 域的大量请求。在做了一些测试之后,我无法判断它是否将它们中的任何一个列入白名单。
请参阅https://developer.apple.com/documentation/devicemanagement/dnssettings/ondemandruleselement上的文档。文档表明(DNSDomainMatch加粗):
一组域名。如果指定列表中的任何域名与设备搜索域列表中的任何域匹配,则此规则匹配。支持单个通配符 * 前缀,但不是必需的。例如,*.example.com 和 example.com 都匹配 mydomain.example.com 和 your.domain.example.com,但不匹配 mydomain-example.com。
我玩过通配符的变体,但似乎没有什么不同。也许我误解了这一点——这是什么意思device's search domains list?
是否有另一种方法可以让我使用 mobileconfig 将特定域列入白名单?我也尝试过使用ActionParameters'sNeverConnect但它似乎也不起作用。
解决方案
以下配置似乎有效。
我运行自己的 DNS 服务器(dnsdist -> pihole --EDNS0--> unbound)
链接:
- https://discourse.pi-hole.net/t/add-proxy-protocol-support-quick-win-doh-dot-dnscrypt-loadbalancing-dns-rulesets-with-dnsdist/28166/22
- https://discourse.pi-hole.net/t/support-for-add-subnet-option-from-dnsmasq-ecs-edns0-client-subnet/35940/75
通过以下 ios 配置,我可以自动停用 WLAN 中的 DOH 服务器(SSID:WLAN-TEST)并使用本地 DNS 服务器。
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>Name</key>
<string>DoT - example.com</string>
<key>PayloadDescription</key>
<string>Configures device to use example.com Encrypted DoT</string>
<key>PayloadDisplayName</key>
<string>DoT - example.com</string>
<key>PayloadIdentifier</key>
<string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D1B3ADCD1EE</string>
<key>PayloadType</key>
<string>com.apple.dnsSettings.managed</string>
<key>PayloadUUID</key>
<string>A6F9CB2D-F00E-4C3A-90EB-E19E5B872C4F</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>DNSSettings</key>
<dict>
<key>DNSProtocol</key>
<string>TLS</string>
<key>ServerAddresses</key>
<array>
<string>xxxx:xxxx:xxxx::xx11</string>
<string>x.x.1.1</string>
</array>
<key>ServerName</key>
<string>ns.example.com</string>
</dict>
</dict>
<dict>
<key>Name</key>
<string>DoH - doh.example.com/pihole</string>
<key>PayloadDescription</key>
<string>Configures device to use example.com Encrypted DoH</string>
<key>PayloadDisplayName</key>
<string>DoH - doh.example.com/pihole</string>
<key>PayloadIdentifier</key>
<string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D1B3ADCD1F1</string>
<key>PayloadType</key>
<string>com.apple.dnsSettings.managed</string>
<key>PayloadUUID</key>
<string>293af945-8bcd-4a52-9f08-4071c22d8b85</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>DNSSettings</key>
<dict>
<key>DNSProtocol</key>
<string>HTTPS</string>
<key>ServerAddresses</key>
<array>
<string>xxxx:xxxx:xxxx::xx11</string>
<string>x.x.1.1</string>
</array>
<key>ServerURL</key>
<string>https://doh.example.com/doh_174653_pihole</string>
</dict>
</dict>
<dict>
<key>Name</key>
<string>DoH - doh.example.com/pihole (except local wifi)</string>
<key>PayloadDescription</key>
<string>Configures device to use example.com Encrypted DoH</string>
<key>PayloadDisplayName</key>
<string>DoH - doh.example.com/pihole (except local wifi)</string>
<key>PayloadIdentifier</key>
<string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D1B3ADCD1F1</string>
<key>PayloadType</key>
<string>com.apple.dnsSettings.managed</string>
<key>PayloadUUID</key>
<string>ca9d0419-c215-41cd-be2d-0870bf550134</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>DNSSettings</key>
<dict>
<key>DNSProtocol</key>
<string>HTTPS</string>
<key>ServerAddresses</key>
<array>
<string>xxxx:xxxx:xxxx::xx11</string>
<string>x.x.1.1</string>
</array>
<key>ServerURL</key>
<string>https://doh.example.com/doh_174653_pihole</string>
</dict>
<!-- Start DNS on-demand definition -->
<key>OnDemandEnabled</key>
<integer>1</integer>
<!-- rules: "always DNS to our network (if possible) unless on our network" -->
<key>OnDemandRules</key>
<array>
<!-- Turn off DNS if on our WiFi network -->
<dict>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
<key>SSIDMatch</key>
<array>
<string>WLAN-TEST</string>
</array>
<!-- <key>DNSServerAddressMatch</key> -->
<!-- <array> -->
<!-- <string>10.x.x.1</string> -->
<!-- </array> -->
<key>Action</key>
<string>Disconnect</string>
</dict>
<!-- Turn on DNS if WiFi network -->
<dict>
<key>Action</key>
<string>Connect</string>
<key>InterfaceTypeMatch</key>
<string>WiFi</string>
</dict>
<!-- Turn on DNS if Cellular network -->
<dict>
<key>Action</key>
<string>Connect</string>
<key>InterfaceTypeMatch</key>
<string>Cellular</string>
</dict>
<!-- Catch-All rule to turn off DNS -->
<dict>
<key>Action</key>
<string>Disconnect</string>
</dict>
</array>
<!-- End DNS on-demand definition -->
</dict>
</array>
<key>PayloadDescription</key>
<string>Adds the example.com DNS to Big Sur and iOS 14 based systems</string>
<key>PayloadDisplayName</key>
<string>example.com Encrypted DNS</string>
<key>PayloadIdentifier</key>
<string>r.macOSBeta.0BD60CF6-64B5-4D16-BEA4-7294E93BDD4C</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>01DA864C-C3AF-4039-A8D0-A00D982B1569</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>我使用以下来源创建它:
推荐阅读
- javascript - 显示拆分、排序和随机化的句子
- postgresql - 将数据从 S3 移动到 Postgresql
- search - Pacman ai 项目 - 适合步骤成本和启发式的组合
- python - 从数据帧转换的 apache 箭头文件在使用 arrow.js 读取时给出 null
- compiler-optimization - gcc中的速度关键部分?
- c# - LiveCharts 设置 DateTime X 轴 MinValue 和 MaxValue 以便放大/缩小
- python - 从连接到 Raspberry Pi 的 PN532 模块(UART 模式)读取 Python 中的 NDEF 消息时出现问题
- python - 如何修复列表的for循环
- android - Android DataBinding KAPT 增量支持
- python - 如果在运行时多次运行同一个 dag 会发生什么?