confirmedcode / Lockdown-iOS

GNU General Public License v3.0
898 stars 85 forks source link

Custom dns option #15

Open ghost opened 5 years ago

ghost commented 5 years ago

Allow us to add a custom dns to lockdown such as googles or better yet Cloudflares 1.1.1.1

mikegchambers commented 5 years ago

At first I wasn't sure about this as you can change the DNS settings in the settings of iOS, but, of course, you can't change the settings that your telecoms (3d/4g etc) provider send you.

Therefore +1 for this.

Cloudflare does this with their 1.1.1.1 app.

tomtastic commented 5 years ago

Whilst we're talking about custom DNS, can we have the option to send DNS-Over-TLS or DNS-Over-HTTPS also.

mikegchambers commented 5 years ago

So this is interesting. I'm not sure the current code base will support this feature. From what I can see the code sets up a split-tunnel VPN, and sends all matching traffic (the blocked stuff) down the VPN into a GCDProxyServer black hole. The stuff that isn't blocked bypasses the VPN and is allowed. We could set the DNS server for the traffic going down the VPN, but as it's going to get blocked anyway that's kinda pointless.

I'm keen to see the source for the current release and the current GCDProxyServer as I assume this must have changed.

fantom-x commented 5 years ago

DoH & DoT is what #13 issue is about as well

mikegchambers commented 5 years ago

For the record, with the latest release of code, things have changed significantly, and this now appears one step easier to implement.

hijohnnylin commented 5 years ago

On the technical side, we've found a few ways to do this while still having the firewall work well, but we're going to go through some extensive testing before releasing it - it's not a small change.

Currently planned as a feature for 0.3.0.

ghost commented 5 years ago

Alright sounds great be sure to release to TestFlight for community testing

LeonDerDr commented 2 years ago

You can configure the systemwide DNS server on iOS using configuration profiles

jgottula commented 1 year ago

Based on an email conversation I had back in May with one of the developers, starting with version 2.0, Lockdown is now hardcoded to use Cloudflare's 1.1.1.1 and 1.0.0.1 as its upstream DNS servers.

In prior versions, it would send upstream DNS queries to whatever the system-default DNS server was. (As set by DHCP; or as set statically in the iOS network settings; or—I presume—as set via configuration profile, when applicable.)


That email conversation actually originally came about because I'd noticed, starting with 2.0.0, that I could no longer connect to LAN hostnames in my iOS SSH client app when the Lockdown firewall was enabled.

I have a caching DNS server on my LAN which, among other things, resolves queries for LAN machine hostnames. And then I've set up DHCP on the LAN to advertise that DNS server to clients so they'll automatically use it.

I was told in that email conversation that they would like to make the upstream DNS resolver configurable in future versions.


So, to summarize: