Configuring encrypted DNS settings

Encrypted DNS allows administrators to enhance security without needing to configure a VPN. These settings can be managed via MDM.

This feature is supported on iOS 14.0+ and macOS 11.0+ devices.

Procedure 

  1. In the Admin Portal, go to Policies & Configs > Configurations.

  2. Click Add New > Apple > iOS/macOs/tvOS > Encrypted DNS.

    The Add Encrypted DNS Configuration dialog box opens.

  3. Use the guidelines in the table below to complete this form.

  4. Continue to the next section.

Table 39.  Encrypted DNS settings

Item

Description

Name

Enter a short phrase that identifies this encrypted DNS setting.

Description

Provide a description that clarifies the purpose of these settings.

DNS Protocol

Select one of the following distribution options:

  • HTTPS - the configuration will be transmitted over a secure web URL. This is the default option.

  • TLS - the configuration will be transmitted over a secure network server.

Server URL

If HTTPS was selected, this field displays. Enter the URL for the encrypted DNS. An example is:

https://dns.ivanti/dns-query

Server Name

If TLS was selected, this field displays. Enter the server name for the encrypted DNS. An example is:

dns.ivanti

Prohibit DNS Disabling

Select to prevent device users from disabling the DNS.

Server Addresses

For either HTTPS or TLS, you will need to add the server addresses.

  • An example IPv4 server address would be 10.0.0.1.

  • An example IPv6 server address would be 2001:0db8:85a3:0000:0000:8a2e:0370:7334

1. Click Add+.

2. Enter the server address in the displayed field.

3. Enter an optional description.

Supplement Match Domains

For either HTTPS or TLS, you will need to add the supplemental domains that match the Encrypted DNS. An example would be: *.dns.ivanti.com

1. Click Add+.

2; Enter the DNS match domain in the displayed field.

3. Enter an optional description.

Demand Rules

Use Demand Rules to list domain strings that determine the DNS queries to use DNS server.

See On Demand Rules

 

 

On Demand Rules

Applicable to: iOS 14.0+ and macOS 11.0+

Whenever a network change is detected, the On Demand service compares the newly connected network against the match network criteria specified in each set of rules (in order) to determine whether Encrypted DNS On Demand should be allowed or not on the newly-joined network.

Rule sets are checked sequentially, beginning with the first. A rule set matches the current network only if all of the specified policies in that rule set match.

If a rule set matches the current network, a server probe is sent if a URL is specified in the profile. Encrypted DNS then acts according to the policy defined in the dictionary.

You can define sets of evaluation rules for each action that can be taken by Encryption DNS On Demand: Connect, Disconnect, Evaluate Connection. You can define more than one set of rules for each type of action that can be taken.

Procedure 

  1. From the On Demand Action drop-down list, select the action you want to be taken by default, if none of the rules match or none are defined.

  2. Click Add+ to add a default rule.

    The following actions are available:

    Connect: Unconditionally initiate an Encrypted DNS connection on the next network attempt.

    Disconnect: Tear down the Encrypted DNS connection and do not reconnect on demand as long as this dictionary matches.

    Evaluate Connection: Evaluate the action parameters for each connection attempt.

    If you select Evaluate Connection, a Domains table displays:

  3. Click Add+ to add a domain. A new field displays in the Domains table.

  4. Enter the domain information and a description.

  5. From the Domain Action drop-down list, select one of the following actions to be taken for the domains listed in the table:

    Connect if needed: The specified domains should trigger an Encrypted DNS connection attempt if the specified domain name resolution fails. For example, when the DNS server indicates that it cannot resolve the domain, it responds with a redirection to a different server, or fails to respond (timeout).

    Never connect: The specified domains should never trigger an Encrypted DNS connection attempt.

  6. In the Matching Rules section, click Add+ to include any of the following evaluation types:

    Domain: The domains for which this evaluation applies.

    Required DNS Server: IP addresses of the DNS servers to be used for resolving the specified domains. These servers need not be part of the device’s current network configuration. If these DNS servers are not reachable, an Encrypted DNS connection is established in response. These Encrypted DNS servers should be either internal DNS servers or trusted external DNS servers. You can only configure required DNS server evaluation types for the Connect if needed domain action.

    Required URL Probe: An HTTPS URL to probe, using a GET request. If no HTTPS response code is received from the server, an Encrypted DNS connection is established in response. You can only configure required URL probe evaluation types for the Connect if needed domain action.

  7. Add a value and optional description for each entry.
  8. Interface Type: If specified, this rule matches only if the primary network interface hardware matches the specified interface type. Choose Ethernet, Wifi, or Cellular.
  9. URL String Probe: A URL to probe. If this URL is successfully fetched without redirection (returning a 200 HTTPS status code), this rule matches.
  10. Click Save to save your domain action parameters.