🚀 iOS 14 DNS-Profile (.mobileconfig)

[privacy-advo]

Is your feature request related to a problem? Traffic leakage due to no always-on-VPN option, IKEv2 needed, while using it with DNSCloak [@s-s]

Describe the solution you'd like iOS 14 DNS-Profile

Describe alternatives you've considered An IKEv2 based Always-On-VPN profile.

[zoonderkins]

I haven't try it out with .mobileconfig though, I'm using AdBlock app on iOS with BlahDNS as up stream server. It doesn't leak my DNS traffic.

[privacy-advo]

Thank you for the fast response. Are you referring to "AdBlock" by FutureMind? There are a lot of different "AdBlock + x" named apps.

[zoonderkins]

Sorry, I mean Adguard

[privacy-advo]

Sadly, the VPN AdGuard is providing is only "on-demand". This VPN will leak data each time the device switches between sleep/active. This VPN needs to be established (on-demand). There are already queries prior it is established. I just rechecked it with iPhone iOS 14.3 and newest AdGuard V. 4.0.4 (588).

Just checked the AdGuard repo. There's even an open issue by @ameshkov: https://github.com/AdguardTeam/AdguardForiOS/issues/1692

[zoonderkins]

Interesting, Maybe I can generate a fake ikev2 profile for you? But how can you redirect local DNS query to other DNSCloak?

Do DNSCloak support proxy mode?

[privacy-advo]

Unfortunately, I can't answer your question. Maybe the developer of DNSCloak @s-s could answer this question.

[Mikaela]

https://encrypted-dns.party/ has mobileconfigs for BlahDNS too in case it can help. Just remember to open it in Safari

[privacy-advo]

Thank you. Did you check if there's the same kind of leakage as with the on-demand VPNs (AdGuard/DNSCloak etc.).

[nitrohorse]

Did you check if there's the same kind of leakage as with the on-demand VPNs (AdGuard/DNSCloak etc.).

I've previously done some testing with NextDNS profiles and observed this kind of leakage (that Proton also describes) does appear to occur even with mobileconfig profiles unfortunately (but someone would need to confirm this).

Related, I've observed a different kind of leakage, one where Apple service specific requests (for example Push notifications (*-courier.push.apple.com)) bypass the on-demand VPN profiles for resolution. I don't have a source for this but think this is actually expected behavior. Mobileconfigs don't appear to suffer from this type of leakage and do resolve Apple service requests.

So tl;dr I think mobileconfigs have "less" leakage than on-demand VPNs. But the only way to have no leakage is:

• use an always-on VPN (requires device to be supervised) (don't have experience here).
• or regularly toggle airplane mode on sleep/active/network changes with a mobileconfig encrypted DNS profile set (still not full proof).

[privacy-advo]

Just quickly checked the behaviour of blahdns .mobileconfigs [@Mikaela] and I observed no leakage on an wifi-only iPad during on/off. Didn't test the switch between mobile data / wifi on an iPhone so far. But that looks promising.

Further, Adguard promised a fix for the leakage problem with on-demand VPN: https://github.com/AdguardTeam/AdguardForiOS/issues/1692#issuecomment-755170807

[privacy-advo]

Update: Sadly, Adguard concluded after further investigation that there's no fix for the leakage while using the "normal" VPN functionality. https://github.com/AdguardTeam/AdguardForiOS/issues/1692#issuecomment-772512794

Damn. 👎