1

我在 https 服务器上运行我自己的 dns。我希望大多数 DNS 请求都通过它,但是来自“apple.com”、“icloud.com”域/子域的任何请求都可以绕过我的 DOH 服务器并使用手机的默认 DNS。

我创建了一个 .mobileconfig 配置文件,如下所示(我替换了 doh 服务器 url 和探测 url):

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>Name</key>
      <string>DOH</string>
      <key>PayloadDescription</key>
      <string>DOH</string>
      <key>PayloadDisplayName</key>
      <string>DNS over HTTPS</string>
      <key>PayloadIdentifier</key>
      <string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D2B5ADCD1EE</string>
      <key>PayloadType</key>
      <string>com.apple.dnsSettings.managed</string>
      <key>PayloadUUID</key>
      <string>8E3D6F57-0EB4-4C89-A068-2D6EF5FAC976</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>DNSSettings</key>
      <dict>
          <key>DNSProtocol</key>
          <string>HTTPS</string>
          <key>ServerURL</key>
          <string>https://dns.google/dns-query</string>
          <key>ServerName</key>
          <string>doh-test</string>
      </dict>
      <key>OnDemandRules</key>
      <array>
        <dict>
          <key>Action</key>
          <string>Disconnect</string>
          <key>DNSDomainMatch</key>
          <array>
            <string>*.apple.com</string>
            <string>*.icloud.com</string>
          </array>
        </dict>
        <dict>
          <key>Action</key>
          <string>Connect</string>
          <key>URLStringProbe</key>
          <string>https://google.com</string>
        </dict>
        <dict>
          <key>Action</key>
          <string>Disconnect</string>
        </dict>
      </array>
    </dict>
  </array>
  <key>PayloadDescription</key>
  <string>DNS over Https</string>
  <key>PayloadDisplayName</key>
  <string>DNS over HTTPs</string>
  <key>PayloadIdentifier</key>
  <string>com.cam.me.8A4244E4-7802-46D9-9BA9-06EA71975740</string>
  <key>PayloadRemovalDisallowed</key>
  <false/>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>2066753F-6CD2-43CE-AA24-C26C4F656B71</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>

然而,我的 DOH 服务器日志仍然显示来自 *.apple.com 和 *.icloud.com 域的大量请求在做了一些测试之后,我无法判断它是否将它们中的任何一个列入白名单。

请参阅https://developer.apple.com/documentation/devicemanagement/dnssettings/ondemandruleselement上的文档。文档表明(DNSDomainMatch加粗):

一组域名。如果指定列表中的任何域名与设备搜索域列表中的任何域匹配,则此规则匹配。支持单个通配符 * 前缀,但不是必需的。例如,*.example.com 和 example.com 都匹配 mydomain.example.com 和 your.domain.example.com,但不匹配 mydomain-example.com。

我玩过通配符的变体,但似乎没有什么不同。也许我误解了这一点——这是什么意思device's search domains list

是否有另一种方法可以让我使用 mobileconfig 将特定域列入白名单?我也尝试过使用ActionParameters'sNeverConnect但它似乎也不起作用。

4

1 回答 1

2

以下配置似乎有效。

我运行自己的 DNS 服务器(dnsdist -> pihole --EDNS0--> unbound)

链接:

通过以下 ios 配置,我可以自动停用 WLAN 中的 DOH 服务器(SSID:WLAN-TEST)并使用本地 DNS 服务器。

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
    <array>
        <dict>
            <key>Name</key>
            <string>DoT - example.com</string>
            <key>PayloadDescription</key>
            <string>Configures device to use example.com Encrypted DoT</string>
            <key>PayloadDisplayName</key>
            <string>DoT - example.com</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D1B3ADCD1EE</string>
            <key>PayloadType</key>
            <string>com.apple.dnsSettings.managed</string>
            <key>PayloadUUID</key>
            <string>A6F9CB2D-F00E-4C3A-90EB-E19E5B872C4F</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>DNSSettings</key>
            <dict>
                <key>DNSProtocol</key>
                <string>TLS</string>
                <key>ServerAddresses</key>
                <array>
                    <string>xxxx:xxxx:xxxx::xx11</string>
                    <string>x.x.1.1</string>
                </array>
                <key>ServerName</key>
                <string>ns.example.com</string>
            </dict>
        </dict>

        <dict>
            <key>Name</key>
            <string>DoH - doh.example.com/pihole</string>
            <key>PayloadDescription</key>
            <string>Configures device to use example.com Encrypted DoH</string>
            <key>PayloadDisplayName</key>
            <string>DoH - doh.example.com/pihole</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D1B3ADCD1F1</string>
            <key>PayloadType</key>
            <string>com.apple.dnsSettings.managed</string>
            <key>PayloadUUID</key>
            <string>293af945-8bcd-4a52-9f08-4071c22d8b85</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>DNSSettings</key>
            <dict>
                <key>DNSProtocol</key>
                <string>HTTPS</string>
                <key>ServerAddresses</key>
                <array>
                    <string>xxxx:xxxx:xxxx::xx11</string>
                    <string>x.x.1.1</string>
                </array>
                <key>ServerURL</key>
                <string>https://doh.example.com/doh_174653_pihole</string>
            </dict>
        </dict>

        <dict>
            <key>Name</key>
            <string>DoH - doh.example.com/pihole (except local wifi)</string>
            <key>PayloadDescription</key>
            <string>Configures device to use example.com Encrypted DoH</string>
            <key>PayloadDisplayName</key>
            <string>DoH - doh.example.com/pihole (except local wifi)</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D1B3ADCD1F1</string>
            <key>PayloadType</key>
            <string>com.apple.dnsSettings.managed</string>
            <key>PayloadUUID</key>
            <string>ca9d0419-c215-41cd-be2d-0870bf550134</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>DNSSettings</key>
            <dict>
                <key>DNSProtocol</key>
                <string>HTTPS</string>
                <key>ServerAddresses</key>
                <array>
                    <string>xxxx:xxxx:xxxx::xx11</string>
                    <string>x.x.1.1</string>
                </array>
                <key>ServerURL</key>
                <string>https://doh.example.com/doh_174653_pihole</string>
            </dict>

            <!-- Start DNS on-demand definition -->
            <key>OnDemandEnabled</key>
              <integer>1</integer>
            <!-- rules: "always DNS to our network (if possible) unless on our network" -->
            <key>OnDemandRules</key>
              <array>

                <!-- Turn off DNS if on our WiFi network -->
                <dict>
                  <key>InterfaceTypeMatch</key>
                    <string>WiFi</string>
                  <key>SSIDMatch</key>
                    <array>
                      <string>WLAN-TEST</string>
                    </array>
                  <!-- <key>DNSServerAddressMatch</key> -->
                    <!-- <array> -->
                      <!-- <string>10.x.x.1</string> -->
                    <!-- </array> -->
                  <key>Action</key>
                    <string>Disconnect</string>
                </dict>

                <!-- Turn on DNS if WiFi network -->
                <dict>
                  <key>Action</key>
                    <string>Connect</string>
                  <key>InterfaceTypeMatch</key>
                    <string>WiFi</string>
                </dict>

                <!-- Turn on DNS if Cellular network -->
                <dict>
                  <key>Action</key>
                    <string>Connect</string>
                  <key>InterfaceTypeMatch</key>
                    <string>Cellular</string>
                </dict>

                <!-- Catch-All rule to turn off DNS -->
                <dict>
                  <key>Action</key>
                    <string>Disconnect</string>
                </dict>
              </array>
            <!-- End DNS on-demand definition -->

        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Adds the example.com DNS to Big Sur and iOS 14 based systems</string>
    <key>PayloadDisplayName</key>
    <string>example.com Encrypted DNS</string>
    <key>PayloadIdentifier</key>
         <string>r.macOSBeta.0BD60CF6-64B5-4D16-BEA4-7294E93BDD4C</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>01DA864C-C3AF-4039-A8D0-A00D982B1569</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

我使用以下来源创建它:

于 2020-12-31T10:40:18.653 回答