0

Excluded Domains adds domains without permission

I am starting use NextDNS more and more, and have installed a couple of profiles on iOS/iPadOS mobile devices, using the advanced features which allow me to correctly support my split DNS setup when at home.

When I created the profile for my MacBook, I couldn't help but check the content of the profile, and much to my surprise I found that there are already some fixed Excluded Domains on top of the one I myself added, these are:

                <key>DomainAction</key>

                <string>NeverConnect</string>

                <key>Domains</key>

                <array>

                  <string>dav.orange.fr</string>

                  <string>vvm.mobistar.be</string>

                  <string>msg.t-mobile.com</string>

                  <string>tma.vvm.mone.pan-net.eu</string>

                  <string>vvm.ee.co.uk</string>

Why do such excludes exist, and how come they cannot be turned off?

They all look like mobile providers to me, so if I happen to travel to a foreign country and select one such mobile provider, all of a sudden I would lose NextDNS protection and would disclose my DNS traffic to the mobile provider.

This is not cool.

 

Anyone care to comment?

 

Many thanks,

Luca

3 replies

null
    • R_P_M
    • 7 days ago
    • Reported - view

    These were added to allow video voicemail (or whatever it was called) to function for the mobile networks. It is not to disable NextDNS or expose DNS traffic to the provider.

    • Patrick_Dark
    • 7 days ago
    • Reported - view

    Apparently, those exceptions were quietly added as defaults to accommodate visual voicemail.

    Wish there was disclosure on the configuration profile setup page, but there isn’t.

    A way around the exceptions is to download the configuration profile as unsigned so you can edit it and then delete the exceptions. (Ideally, you’d be able to delete them on the NextDNS side so the profile can be signed before you download it, but alas.)

    I already rewrite all of their configuration profiles to use DNS Over TLS instead of DNS Over HTTPS, so it’s not much of an extra step.

    • LucaBerta
    • 6 days ago
    • Reported - view

    Thanks to you both, the "vvm" prefix looks indeed like an indication that this is done to exclude visual voice mail for those specific domains.

    Looks like a split DNS configuration to disallow access to VVM from outside the specific mobile provider network, more than anything else.

    Weird, and surely undocumented.

    @patrick_dark point taken on downloading an unsigned profile and changing it as required.

    Many thanks, Luca

Login to reply

Content aside

  • 6 days agoLast active
  • 3Replies
  • 50Views
  • 4 Following