Using MacOS and iOS with DoH

Configuring MacOS and iOS for DNS over HTTPS (DoH) is a straightforward process that significantly enhances security and privacy on Apple devices. By opening a text editor in plain text mode and pasting the provided code block, which contains configuration details for DoH, users can ensure compatibility by saving the file as "bloxone.mobileconfig." For MacOS, initiating the installation process is as simple as double-clicking the saved mobileconfig file in Finder, while on iOS, utilizing Apple Configurator 2 on Mac or emailing the file to oneself and opening it from Safari are viable options due to the disabled direct opening from Files. Once the file is opened, users can navigate to the Profiles menu in settings (Under General on iOS) to approve the new profile. Despite being unsigned, this profile aligns with standard DIY configuration practices, and upon approval, MacOS and iOS devices are now fortified with InfobloxThreat Defense DoH, ensuring a secure and private browsing experience.

When traffic is sent over DoH, reports in the Infoblox Portal should show the source as "Unknown."

To configure MacOS and iOS for use with DoH, perform the following:

Step 1: Open TextEdit or your favorite text editor of choice. — Make sure your editor is in plain text mode; In TextEdit, this can be done via Format -> Make Plain Text. You can also use nano from the terminal, for those familiar with it if you feel so inclined.

Step 2: Paste the following text from the code block into the editor:

Mobile Configuration:

Use the dns-profile.mobileconfig file for configuring for use with mobile Apple devices:

NOTE: To obtain your FQDN go to the General page of the Create New Security Policy wizard in the Infoblox Portal (Infoblox Services Portal > Configuration > Security). Copy the auto-generated FQDN, or click regenerate to generate a new FQDN. Note that DoH per Policy must be enabled in order to obtain the FQDN. The format should be https://FQDN/dns-query.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
      <key>PayloadContent</key>
      <array>
        <dict>
          <key>DNSSettings</key>
          <dict>
            <key>DNSProtocol</key>
            <string>HTTPS</string>
            <key>ServerAddresses</key>
            <array>
              <string>52.119.41.200</string>
<string>103.80.6.200</string>

            </array>
            <key>ServerURL</key>
            <string>https://fc7ua07a-0g83-62fb-9feb-7684b14gv764.doh.threatdefense.infoblox.com/dns-query</string>
          </dict>
          <key>PayloadDescription</key>
          <string>Configures device to use B1TD via DoH</string>
          <key>PayloadDisplayName</key>
          <string>B1TD DoH</string>
          <key>PayloadIdentifier</key>
          <string>com.apple.dnsSettings.managed.6u546h8d-76ct-4bf7-541c-098g86c1c23x</string>
          <key>PayloadType</key>
          <string>com.apple.dnsSettings.managed</string>
          <key>PayloadUUID</key>
          <string>24e64dey-7e80-4658-4hce-6a610e5dfegh</string>
          <key>PayloadVersion</key>
          <integer>1</integer>
          <key>ProhibitDisablement</key>
          <false/>
        </dict>
      </array>
      	<key>PayloadDescription</key>
      	<string>Adds B1TD DoH to MacOS and iOS</string>
      	<key>PayloadDisplayName</key>
      	<string>B1TD DoH</string>
      	<key>PayloadIdentifier</key>
      	<string>plus.simpledns.apple-dns</string>
      	<key>PayloadRemovalDisallowed</key>
      	<false/>
      	<key>PayloadType</key>
      	<string>Configuration</string>
	<key>PayloadUUID</key>
      	<string>54ea4de2-a665-8656-7dcd-fp51e9549089</string>
      	<key>PayloadVersion</key>
      	<integer>1</integer>
	<key>PayloadScope</key>
	<string>System</string>
</dict>
</plist>

Step 3: Save the document to your desired directory as bloxone.mobileconfig. — The file extension must be .mobileconfig. If your text editor does not allow setting the file extension, save as a plain .txt file, then open the save directory in Finder, and change the file's extension from the Get Info window for the file.

Step 4: For MacOS and iOS, refer to the respective sections below:

MacOS:
For MacOS, perform the following:

Double-click the resulting mobileconfig file in Finder. You will receive a notification that a profile is installed and waiting for review.
Open settings to the Profiles menu (Under General on iOS), and approve the new profile. — It will warn that it is unsigned, but this just means it was not cryptographically signed and distributed, which is standard for DIY configuration profiles.

You should now be using Infoblox Threat Defense DoH.

iOS

Note: Google Chrome on iOS does not have a built-in setting to configure DoH directly within the browser.

For iOS, perform the following:

There are various ways to install mobile configs. Currently, opening them directly from Files is disabled. However, you can either use Apple Configurator 2 (Mac) to apply the profile to a connected device, or email yourself the file and open it from Safari.
If you created this file directly, on-device, you can use a Shortcut to open the file in Safari directly from Files. Note that due to limitations of shortcuts, larger .mobileconfig files may cause it to crash.
Open settings to the Profiles menu (Under General on iOS), and approve the new profile. — It will warn that it is unsigned, but this just means it was not cryptographically signed and distributed, which is standard for DIY configuration profiles.

You should now be using Infoblox Threat Defense DoH.