Apple TV and Profiles: An Easy Install
Hello everyone. Recently I've been thinking about an easier way to create iOS profiles and specifically profiles for Apple TV, and I think I've stumble on to something. I'm sharing this here as a proof of concept in the hopes it helps others and that it gives the NextDNS team a permanent solution they can implement is on their side.
TL;DR: Skip to the bold TL;DR down below.
Apple requires the use of profiles to configure more advanced settings, such as DNS over HTTPS. In practice this means using Safari on iPhone/iPad to generate a profile and kick off the installation process in Settings. This is easy enough on those devices using the web GUI at apple.nextdns.io.
To install a profile on Apple TV, you must tell Apple TV where to download the .mobileconfig file from. As in, you first need to generate a profile (from apple.nextdns.io above), then arrange to host the file somewhere online and enter that URL into Apple TV using the remote. Fun. (For completeness sake I will mention that profiles can be installed by directly connecting Apple TV via a USB cable--so un-Apple I know.)
The (Real) Solution
Apple should add native support for DoH and/or DoT to every currently supported OS. Google did, Microsoft is, Apple should. Forcing users to install apps or custom config files to change DNS servers is getting old. (apple.com/feedback for those playing along at home.)
The (Proposed) Solution
NextDNS could add short codes, or short subdomains to ease in data entry in Apple TVs limited UI for profile installation. This feels like a clever workaround for Apples bad UI/UX/policy--but easier for the user is still easier.
The Proof of Concept (aka The Fix)
Why--it's DNS of course! Well, actually it's mostly Page Rules from Cloudflare but DNS was step one. I reused an existing domain of mine and added a 'dns' subdomain which Cloudflare forwards to NextDNS directly for fulfilment.
TL;DR: When prompted by Apple TV to enter a profile URL, enter:
You are trusting an internet rando to serve you privileged DNS settings. USUALLY THIS IS A BAD IDEA. I am not affiliated with NextDNS. I am a paying customer though. NextDNS does not approve of this method. Their approved methods are documented in their help articles.
That being said, I am not pulling a fast one nor am I being dishonest in anyway. I would like this concept to be adopted by NextDNS if possible and in the meantime I believe this is a reasonable workaround for other forum members.
The Technical Bits
- I added a Proxied DNS entry via Cloudflare for "dns.infolux.net". I used a CNAME which points at "ns.infolux.net". This is not required for the proxy feature, but this lookup made sense in my head for the task at hand.
- A Page Rule was then added for "dns.infolux.net/*" with a 302 Forwarding URL pointed at "http://api.nextdns.io/apple/profile?profile=$1&trust_ca=1&sign=0".
- HTTP was specifically used to ensure the HTTPS upgrade would be done by NextDNS. A packet capture will confirm the HTTPS upgrade is handled by NextDNS and the profile securely delivered by NextDNS.
- The NextDNS CA option is added so the profile will include their root CA. To use the CA, you will still need to manually enable it in Settings. By including the CA now, it will already be installed should you want to enable it later.
- The option to sign the configuration profile has been disabled. This was intentional so that "long lived" profiles would be generated without any worry of an expired message in a year. This signing is only for the profile itself--all DoH queries are always secure.
- Other than the NextDNS ID you enter, no other options are set. Not the name, model, networks, nor domain fields.
I might be missing something, but the Apple TV profile install took me less than 2 minutes after generating the profile. iCloud or Dropbox the URL and copy that. Universal pasteboard makes this URL available on your other iCloud devices instantly (iPhone / iPad). Then, just use the keyboard feature of your iPhone / iPad to paste the URL to the Apple TV. Seamless. I have never used the Siri remote for text entry before.