Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Need for system-wide profile #22

Open
csousougen opened this issue Dec 18, 2020 · 25 comments
Open

Need for system-wide profile #22

csousougen opened this issue Dec 18, 2020 · 25 comments

Comments

@csousougen
Copy link

In Mac, Safari uses the encrypted dns, all other apps like terminal and App Store use the unencrypted dns server from network settings.
Could you please create a profile that uses system-wide encrypted dns?

@paulmillr
Copy link
Owner

How?

@csousougen
Copy link
Author

I’ve found these system-wide configurations but i don’t know how to import into a mobileconfig

https://www.wwdcnotes.com/notes/wwdc20/10047

@ghost
Copy link

ghost commented Aug 30, 2021

@csousougen Actually an MDM profile is by default system wide...
During the developer conference of 2020 when they have announced this feature they have said :

"The first way is to use a single [encrypted] DNS server as the default resolver for all apps on the system. If you provide a public [encrypted] DNS server, you can now write a network extension app that configures the system to use your server. Or, if you use Mobile Device Management to configure enterprise settings on devices, you can push down a profile to configure encrypted DNS settings for your networks,"

The code you have linked is for the dev who want to use encrypted dns for their app (or make an app to activate this dns (like adguard pro for iOS)).

@ghost
Copy link

ghost commented Aug 30, 2021

@paulmillr Since it's not a bug in .mobileconfig file I ask this issue be closed.
We cannot fix it only apple can so I vote to close it but it's up to you.

@paulmillr
Copy link
Owner

@BirdInFire I won't close these and other issues that describe Apple bugs. We can't do anything but we can make bugs visible.

@csousougen
Copy link
Author

I can say for sure that on Mac, it is not system wide. The DIG command gets results from the DNS servers that are set in Network and not from the MDM profile. If you try "dig google.com" you will see ;; SERVER: IP address in results.

@ghost
Copy link

ghost commented Aug 30, 2021

I can say for sure that on Mac, it is not system wide. The DIG command gets results from the DNS servers that are set in Network and not from the MDM profile. If you try "dig google.com" you will see ;; SERVER: IP address in results.

i have tested it like 10 minutes ago with nextdns to see the log on DNSserver side and it's totally system wide

@csousougen
Copy link
Author

csousougen commented Aug 30, 2021

@BirdInFire could you please try to put a fake dns (127.0.0.5) in network settings, press Apply and then check if DIG command works?
Also, I tried to dig astalavista.com from the cmd and it didn't show up in nextdns logs.
However, all queries that come from Safari are totally encrypted.

@ghost
Copy link

ghost commented Aug 30, 2021

Will do a more profound testing to be sure

@ghost
Copy link

ghost commented Aug 30, 2021

I have tested with a new account and done a ping on terminal on google.lol (who does not exist) after having installed their profile (used on apple.nextdns.io) and some second after the ping (who have failed since google.lol does not exist, it appeared on the logs, tried again with .jp and worked also).

Need more search but I really think it's system wide, maybe when you modify your dns (after) having installed the profile it override the profile.

@csousougen
Copy link
Author

@BirdInFire You are correct, with ping command it works. But it does not work with DIG command and nslookup command.
Could you please try these commands too? Is it system wide if it does not work with any command?

@ghost
Copy link

ghost commented Aug 30, 2021

Sure will do a complete test when I'm at home (actually I have done it remotely), but it's possible that some system component are exempted by this profile (network app).

@ghost
Copy link

ghost commented Sep 4, 2021

@csousougen after some search I have found some profile who add :

<key>PayloadScope</key>
<string>System</string>

Can you add it to your profile and do your test (seem I can't replic the problem as well as you).
And see if it solve the problem ?

If it's the case I will do a PR on all profile to add it.

@csousougen
Copy link
Author

Hi @BirdInFire
I added the 2 lines just above in nextdns profile. Still, dig and nslookup commands do not go through the encrypted dns (no logs in nextdns).
However, I see in the logs, queries from all apps that run on my mac, this tells that the profile is system wide, except for these two commands (dig and nslookup).

@paulmillr
Copy link
Owner

Added BirdInFire's stuff to readme.

@quyleanh
Copy link

quyleanh commented Mar 4, 2023

I also have the same problem. Cannot get profile work on macOS since on iOS it works well.

@ASweatyPenguin-1
Copy link

Added BirdInFire's stuff to readme.

Hello @paulmillr, I'm not much of a tech person, I got linked here by Sun Knudsen Privacy Guides. Sorry if you don't take questions from newbies...Anyway, my questions:

If @BirdInFire's stuff applies this to significantly more (app store, terminal, etc.) then why not put it in the published profile?

I'm nervous to add it because You said there "seems" to be an additional option, have you changed your opinion at all on @BirdInFire's entry?

Thanks for your time, this stuff is cool!

@paulmillr
Copy link
Owner

If @BirdInFire's stuff applies this to significantly more (app store, terminal, etc.) then why not put it in the published profile?

The flag needs a thorough investigation, which I don't have time to do right now. Thorough meaning: listening to the traffic, pros & cons etc.

@fyr77
Copy link

fyr77 commented Jul 4, 2023

According to the Configuration Profile Reference, the flag determines if something is to be installed for the current user or the whole system - this does not sound like it should influence app behaviour (it might still do so).

Exact wording:

Determines if the profile should be installed for the system or the user. In many cases, it determines the location of the certificate items, such as keychains. Though it is not possible to declare different payload scopes, payloads, like VPN, may automatically install their items in both scopes if needed.
Legal values are System and User, with User as the default value

@akasandra
Copy link

akasandra commented Jul 4, 2023

I've found something more interesting.

While Safari uses System-wide DoH correctly, Firefox won't in several cases: In Firefox settings, "Enable secure DNS using:" you have to select either "Default Protection" or "Off" - it would then use DoH from system.
Choosing "Increased protection" and "Max protection" may result into lookup hangs or using mixed secure/insecure DNS, according to my dnsleaktest results.

Google Chrome does not use System-Wide profile DNS-over-HTTPS for me. There is only option to manually enable Chrome-wide DoH in its settings, manually selecting a provider. This should be stated in Readme.

  • This what I've used and indeed should be added for all. Not sure at which level this must be, though.
<key>PayloadScope</key>
<string>System</string>

btw: nslookup and dig are not designed to support DoH. They are only designed to be terminal utilities for developers not serving any security or privacy purpose.

@fyr77
Copy link

fyr77 commented Jul 4, 2023

Based on the previous comment, it seems that the encrypted DNS settings have to be implemented and honoured by each individual app. So there is no local DNS server translating all DNS requests into DoH/DoT and sending it to the defined server, rather it is just saved as a value and apps may choose to use that value when operating.

This also means there is no way to force any app to use encryption settings, I believe. Still, it seems as if some apps only use encrypted DNS if "System" scope is selected...

@Fail-Safe
Copy link

Still, it seems as if some apps only use encrypted DNS if "System" scope is selected...

Do you find this to still be the case in current versions of MacOS, iOS, iPadOS, etc?

@fyr77
Copy link

fyr77 commented Feb 13, 2024

@Fail-Safe Unfortunately, I no longer own any apple devices to test this with. Perhaps someone else can provide some insight.

@Homas
Copy link

Homas commented May 1, 2024

Do you find this to still be the case in current versions of MacOS, iOS, iPadOS, etc?

On recent MacOS, I see the same behavior akasandra described above.
I didn't check the user/system scope because not sure which apps except Safari/FF actually use DoH.
kdig & dog ignore the settings.

@ghost
Copy link

ghost commented Jun 19, 2024

I do not really know for FF or Chrome on apple (since I only use safari on apple device), but if it's anything like windows I think they have their own resolver maybe why they blatantly ignore the profile.

As for app, it seem that any app from the store obey the profile.
And since I never install anything outside the store I cannot say much more.

As said sonner dig and other tool like that are not mean to use encrypted DNS as they are often used for debugging purpose.

I would not surprise me at all if apple deliberately excluded them for this to help people debug DNS issue when profile enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants