ios - iOS 14、mobileconfig、DNS over HTTPS，支持 DNSDomainMatch 白名单

Question

我在 https 服务器上运行我自己的 dns。我希望大多数 DNS 请求都通过它，但是来自“apple.com”、“icloud.com”域/子域的任何请求都可以绕过我的 DOH 服务器并使用手机的默认 DNS。

我创建了一个 .mobileconfig 配置文件，如下所示（我替换了 doh 服务器 url 和探测 url）：

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>Name</key>
      <string>DOH</string>
      <key>PayloadDescription</key>
      <string>DOH</string>
      <key>PayloadDisplayName</key>
      <string>DNS over HTTPS</string>
      <key>PayloadIdentifier</key>
      <string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D2B5ADCD1EE</string>
      <key>PayloadType</key>
      <string>com.apple.dnsSettings.managed</string>
      <key>PayloadUUID</key>
      <string>8E3D6F57-0EB4-4C89-A068-2D6EF5FAC976</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>DNSSettings</key>
      <dict>
          <key>DNSProtocol</key>
          <string>HTTPS</string>
          <key>ServerURL</key>
          <string>https://dns.google/dns-query</string>
          <key>ServerName</key>
          <string>doh-test</string>
      </dict>
      <key>OnDemandRules</key>
      <array>
        <dict>
          <key>Action</key>
          <string>Disconnect</string>
          <key>DNSDomainMatch</key>
          <array>
            <string>*.apple.com</string>
            <string>*.icloud.com</string>
          </array>
        </dict>
        <dict>
          <key>Action</key>
          <string>Connect</string>
          <key>URLStringProbe</key>
          <string>https://google.com</string>
        </dict>
        <dict>
          <key>Action</key>
          <string>Disconnect</string>
        </dict>
      </array>
    </dict>
  </array>
  <key>PayloadDescription</key>
  <string>DNS over Https</string>
  <key>PayloadDisplayName</key>
  <string>DNS over HTTPs</string>
  <key>PayloadIdentifier</key>
  <string>com.cam.me.8A4244E4-7802-46D9-9BA9-06EA71975740</string>
  <key>PayloadRemovalDisallowed</key>
  <false/>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>2066753F-6CD2-43CE-AA24-C26C4F656B71</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
</dict>
</plist>

然而，我的 DOH 服务器日志仍然显示来自 *.apple.com 和 *.icloud.com 域的大量请求。在做了一些测试之后，我无法判断它是否将它们中的任何一个列入白名单。

请参阅https://developer.apple.com/documentation/devicemanagement/dnssettings/ondemandruleselement上的文档。文档表明（DNSDomainMatch加粗）：

一组域名。如果指定列表中的任何域名与设备搜索域列表中的任何域匹配，则此规则匹配。支持单个通配符 * 前缀，但不是必需的。例如，*.example.com 和 example.com 都匹配 mydomain.example.com 和 your.domain.example.com，但不匹配 mydomain-example.com。

我玩过通配符的变体，但似乎没有什么不同。也许我误解了这一点——这是什么意思device's search domains list？

是否有另一种方法可以让我使用 mobileconfig 将特定域列入白名单？我也尝试过使用ActionParameters'sNeverConnect但它似乎也不起作用。

Answer 1

以下配置似乎有效。

我运行自己的 DNS 服务器（dnsdist -> pihole --EDNS0--> unbound）

链接：

• https://discourse.pi-hole.net/t/add-proxy-protocol-support-quick-win-doh-dot-dnscrypt-loadbalancing-dns-rulesets-with-dnsdist/28166/22
• https://discourse.pi-hole.net/t/support-for-add-subnet-option-from-dnsmasq-ecs-edns0-client-subnet/35940/75

通过以下 ios 配置，我可以自动停用 WLAN 中的 DOH 服务器（SSID：WLAN-TEST）并使用本地 DNS 服务器。

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
    <array>
        <dict>
            <key>Name</key>
            <string>DoT - example.com</string>
            <key>PayloadDescription</key>
            <string>Configures device to use example.com Encrypted DoT</string>
            <key>PayloadDisplayName</key>
            <string>DoT - example.com</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D1B3ADCD1EE</string>
            <key>PayloadType</key>
            <string>com.apple.dnsSettings.managed</string>
            <key>PayloadUUID</key>
            <string>A6F9CB2D-F00E-4C3A-90EB-E19E5B872C4F</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>DNSSettings</key>
            <dict>
                <key>DNSProtocol</key>
                <string>TLS</string>
                <key>ServerAddresses</key>
                <array>
                    <string>xxxx:xxxx:xxxx::xx11</string>
                    <string>x.x.1.1</string>
                </array>
                <key>ServerName</key>
                <string>ns.example.com</string>
            </dict>
        </dict>

        <dict>
            <key>Name</key>
            <string>DoH - doh.example.com/pihole</string>
            <key>PayloadDescription</key>
            <string>Configures device to use example.com Encrypted DoH</string>
            <key>PayloadDisplayName</key>
            <string>DoH - doh.example.com/pihole</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D1B3ADCD1F1</string>
            <key>PayloadType</key>
            <string>com.apple.dnsSettings.managed</string>
            <key>PayloadUUID</key>
            <string>293af945-8bcd-4a52-9f08-4071c22d8b85</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>DNSSettings</key>
            <dict>
                <key>DNSProtocol</key>
                <string>HTTPS</string>
                <key>ServerAddresses</key>
                <array>
                    <string>xxxx:xxxx:xxxx::xx11</string>
                    <string>x.x.1.1</string>
                </array>
                <key>ServerURL</key>
                <string>https://doh.example.com/doh_174653_pihole</string>
            </dict>
        </dict>

        <dict>
            <key>Name</key>
            <string>DoH - doh.example.com/pihole (except local wifi)</string>
            <key>PayloadDescription</key>
            <string>Configures device to use example.com Encrypted DoH</string>
            <key>PayloadDisplayName</key>
            <string>DoH - doh.example.com/pihole (except local wifi)</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.dnsSettings.managed.AFCA1444-5AEB-44CD-B23D-5D1B3ADCD1F1</string>
            <key>PayloadType</key>
            <string>com.apple.dnsSettings.managed</string>
            <key>PayloadUUID</key>
            <string>ca9d0419-c215-41cd-be2d-0870bf550134</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>DNSSettings</key>
            <dict>
                <key>DNSProtocol</key>
                <string>HTTPS</string>
                <key>ServerAddresses</key>
                <array>
                    <string>xxxx:xxxx:xxxx::xx11</string>
                    <string>x.x.1.1</string>
                </array>
                <key>ServerURL</key>
                <string>https://doh.example.com/doh_174653_pihole</string>
            </dict>

            <!-- Start DNS on-demand definition -->
            <key>OnDemandEnabled</key>
              <integer>1</integer>
            <!-- rules: "always DNS to our network (if possible) unless on our network" -->
            <key>OnDemandRules</key>
              <array>

                <!-- Turn off DNS if on our WiFi network -->
                <dict>
                  <key>InterfaceTypeMatch</key>
                    <string>WiFi</string>
                  <key>SSIDMatch</key>
                    <array>
                      <string>WLAN-TEST</string>
                    </array>
                  <!-- <key>DNSServerAddressMatch</key> -->
                    <!-- <array> -->
                      <!-- <string>10.x.x.1</string> -->
                    <!-- </array> -->
                  <key>Action</key>
                    <string>Disconnect</string>
                </dict>

                <!-- Turn on DNS if WiFi network -->
                <dict>
                  <key>Action</key>
                    <string>Connect</string>
                  <key>InterfaceTypeMatch</key>
                    <string>WiFi</string>
                </dict>

                <!-- Turn on DNS if Cellular network -->
                <dict>
                  <key>Action</key>
                    <string>Connect</string>
                  <key>InterfaceTypeMatch</key>
                    <string>Cellular</string>
                </dict>

                <!-- Catch-All rule to turn off DNS -->
                <dict>
                  <key>Action</key>
                    <string>Disconnect</string>
                </dict>
              </array>
            <!-- End DNS on-demand definition -->

        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Adds the example.com DNS to Big Sur and iOS 14 based systems</string>
    <key>PayloadDisplayName</key>
    <string>example.com Encrypted DNS</string>
    <key>PayloadIdentifier</key>
         <string>r.macOSBeta.0BD60CF6-64B5-4D16-BEA4-7294E93BDD4C</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>01DA864C-C3AF-4039-A8D0-A00D982B1569</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

我使用以下来源创建它：

• DNSSettings.OnDemandRulesElement
• 示例 iOS VPN 按需规则
• Das VPN-Sahnehäubchen ist endlich drauf！