4

Issue with "Excluded Domains" options in apple.nextdns.io

Recently when I tried to create an Apple profile using apple.nextdns.io, specifying the list of domains I wanted to exclude, the domains remained resolved through NextDNS.

I found that the output `.mobileconfig` contains duplicated keys when we use "Excluded Domains".  Here's the snippet:

  <dict>
    <key>Action</key>
    <string>EvaluateConnection</string>
    <key>ActionParameters</key>
    <array>
      <dict>
        <key>DomainAction</key>
        <string>NeverConnect</string>
        <key>Domains</key>
        <array>
          <string>dav.orange.fr</string>
          <string>msg.t-mobile.com</string>
        </array>
      </dict>
    </array>
  </dict>
  <dict>
    <key>Action</key>
    <string>EvaluateConnection</string>
    <key>ActionParameters</key>
    <array>
      <dict>
        <key>DomainAction</key>
        <string>NeverConnect</string>
        <key>Domains</key>
        <array>
          <string>example.com</string>
          <string>example.net</string>
        </array>
      </dict>
    </array>
  </dict>

The valid value would looks like:

  <dict>
    <key>Action</key>
    <string>EvaluateConnection</string>
    <key>ActionParameters</key>
    <array>
      <dict>
        <key>DomainAction</key>
        <string>NeverConnect</string>
        <key>Domains</key>
        <array>
          <string>dav.orange.fr</string>
          <string>msg.t-mobile.com</string>
          <string>example.com</string>
          <string>example.net</string>
        </array>
      </dict>
    </array>
  </dict>

Note: I don't know why there are `dav.orange.fr` and `msg.t-mobile.com`, since my excluded domains are only `example.com` and `example.net`.

At the moment, I use a non-signed profile since I need to edit the `.mobileconfig` file manually.

Please help with this issue, so we can still use the signed profile and the `.mobileconfig` work out of the box.

2 replies

null
    • subosito
    • 9 mths ago
    • Reported - view

    Ha Ge Zi Thanks for the alternative!

    I already tested it, and it works.

    There are three points regarding the approach using the alternative:

    - Since it's using the LetsEncrypt certificate, we need to update the signed profile every 90 days

    - To overcome that, we can generate a non-signed profile and sign it manually using our own paid certificate to get a longer period :|

    - Or, we keep using the non-signed profile (like I did previously)

    I am still waiting for the NextDNS team to fix that so that we can use the official generator and have a signed profile with a longer period of certificate validity.

    Anyway, thanks @hagezi for your block list, I am a user of your Pro++, and it works wonderfully!

    Cheers!

    • Reselect
    • 7 mths ago
    • Reported - view

    Just ran into this problem myself.

    Please also could you add the ability to configure this using the iOS app.

Login to reply

Content aside

  • 4 Likes
  • 9 mths agoLast active
  • 2Replies
  • 437Views
  • 5 Following