How to create individual DNS-profiles for Apple-devices

With DNS being the Internet’s phone book since many years, a World Wide Web without the service is beyond any imagination. Talking about censorship, blocking specific is a common medium these days. This tutorial shows you how to build a specific profile for your preferred DNS-provider to be implemented into an Apple-specific device for whatever reason.

The reasons to block DNS-requests often differ - while many users simply use the DNS-servers coming with a specific Internet Service Provider, others want to get rid of ads or tracking-domains phoning home without the permission to do so.

Additionally, also the removal of any filtering technology is an option, providing a censorship-free browsing experience. Third, the striving of governments to regulate DNS-traffic and/or blacklist specific sites (see „The EU is considering its own DNS resolver that can block websites“) is something that gravely threatens the Internet we know - despite of placing DNS4EU as an option to the big American DNS-providers like Google or Cloudflare, the risk for censorship in other ways is no science fiction scenario anymore.

So let’s assume you want to have the choice and change the predefined DNS of your ISP with one of the „better“ choices out there, for example Quad9, Cloudflare, Google, OpenDNS or one of the privacy-focusing ones like dnsforge.de, digitalcourage.de, mullvad.net or dismail.de: These are usually implemented as forwarding DNS in your local router/firewall or serve as an additional filtering layer in solutions like Pi-hole or AdGuard Home. But what if you’re planning to implement those specific DNS-servers on your Apple-devices to use them wherever you are? Of course you could manually add these once you log into a specific network instead of letting DHCP do its work - anyway, this could be stressful.

The better solution is to use the Apple-specific feature of built-in support for DNS-over-HTTPS and DNS-over-TLS since iOS/iPadOS 14 and macOS Big Sur. At https://dns.pifferi.info you will find a tool which simply creates the specific configuration profile to be implemented into your system. This site is forked from fyr77’s original GitHub-repository and should contain everything you need to get a specific profile to suit your needs. Besides the self-explaining options, you can also use advanced options like excluded WiFi-networks (in my home, everything is configured in the firewall and the local Pi-hole) or the toggle if the profile should work on WiFi, Cellular or both.

In my example, I opted in for dnsforge.de and excluded my home WiFi from the profile - both IPv4 and IPv6-addresses including the encrypted DNS-over-HTTPS-setting are contained in the profile. Once everything has been reviewed, you may download the profile to finally import it into your specific Apple-OS. As the profile isn’t officially signed, a warning will appear and, after reviewing this and - possibly - administrative credentials, the profile will finally be active and serve your device wherever you are.

If you log into a friend’s guest WiFi or into a public spot, the OS will fetch the DNS-servers from the profile implemented. The good: You decide which DNS-servers your device will use and many of those also support encrypted DNS-request so the level of privacy is increased simultaneously. Additionally - and depending upon your chosen server(s) - some AdWare- and Spyware-filters as well as reduced tracking may be yet another benefit. The bad: Some networks may depend on their standard DNS-servers to deliver specific information or applications or even prevent other servers from working but most of the network I encountered over the years should work without issues.

With using this tool in on my site, creating individual profiles with an individual DNS-configuration is possible in nearly no time! Further information about encrypted DNS can be found at Encrypted DNS Party which provides a great list of servers, countries and filtering options to suit nearly everyone’s needs. The tool is just one side of the coin and if you opt in to go with a different and more versatile DNS-server instead of the standard ones your provider comes along with, then thinking about privacy and encryption is also an essential approach these days. When censorship starts, the Internet dies - and the idea that once lead to its creation!

There are options for not leaving traces everywhere just by surfing the web - you’ll just have to grab them and this tool should help you to easily do the implementation needed!