Configuring encrypted DNS settings
Encrypted DNS allows administrators to enhance security without needing to configure a VPN. These settings can be managed via MDM.
This feature is supported on iOS 14.0+ and macOS 11.0+ devices.
Procedure
-
In the Admin Portal, go to Policies & Configs > Configurations.
-
Click Add New > Apple > iOS/macOs/tvOS > Encrypted DNS.
The Add Encrypted DNS Configuration dialog box opens.
-
Use the guidelines in the table below to complete this form.
-
Continue to the next section.
Item |
Description |
Name |
Enter a short phrase that identifies this encrypted DNS setting. |
Description |
Provide a description that clarifies the purpose of these settings. |
DNS Protocol |
Select one of the following distribution options:
|
Server URL |
If HTTPS was selected, this field displays. Enter the URL for the encrypted DNS. An example is: https://dns.ivanti/dns-query |
Server Name |
If TLS was selected, this field displays. Enter the server name for the encrypted DNS. An example is: dns.ivanti |
Prohibit DNS Disabling |
Select to prevent device users from disabling the DNS. |
Server Addresses |
For either HTTPS or TLS, you will need to add the server addresses.
1. Click Add+. 2. Enter the server address in the displayed field. 3. Enter an optional description. |
Supplement Match Domains |
For either HTTPS or TLS, you will need to add the supplemental domains that match the Encrypted DNS. An example would be: *.dns.ivanti.com 1. Click Add+. 2; Enter the DNS match domain in the displayed field. 3. Enter an optional description. |
Demand Rules |
Use Demand Rules to list domain strings that determine the DNS queries to use DNS server. See On Demand Rules
|
On Demand Rules
Applicable to: iOS 14.0+ and macOS 11.0+
Whenever a network change is detected, the On Demand service compares the newly connected network against the match network criteria specified in each set of rules (in order) to determine whether Encrypted DNS On Demand should be allowed or not on the newly-joined network.
Rule sets are checked sequentially, beginning with the first. A rule set matches the current network only if all of the specified policies in that rule set match.
If a rule set matches the current network, a server probe is sent if a URL is specified in the profile. Encrypted DNS then acts according to the policy defined in the dictionary.
You can define sets of evaluation rules for each action that can be taken by Encryption DNS On Demand: Connect, Disconnect, Evaluate Connection. You can define more than one set of rules for each type of action that can be taken.
Procedure
- From the On Demand Action drop-down list, select the action you want to be taken by default, if none of the rules match or none are defined.
-
Click Add+ to add a default rule.
The following actions are available:
•Connect: Unconditionally initiate an Encrypted DNS connection on the next network attempt.
•Disconnect: Tear down the Encrypted DNS connection and do not reconnect on demand as long as this dictionary matches.
•Evaluate Connection: Evaluate the action parameters for each connection attempt.
If you select Evaluate Connection, a Domains table displays:
-
Click Add+ to add a domain. A new field displays in the Domains table.
-
Enter the domain information and a description.
-
From the Domain Action drop-down list, select one of the following actions to be taken for the domains listed in the table:
•Connect if needed: The specified domains should trigger an Encrypted DNS connection attempt if the specified domain name resolution fails. For example, when the DNS server indicates that it cannot resolve the domain, it responds with a redirection to a different server, or fails to respond (timeout).
•Never connect: The specified domains should never trigger an Encrypted DNS connection attempt.
-
In the Matching Rules section, click Add+ to include any of the following evaluation types:
•Domain: The domains for which this evaluation applies.
•Required DNS Server: IP addresses of the DNS servers to be used for resolving the specified domains. These servers need not be part of the device’s current network configuration. If these DNS servers are not reachable, an Encrypted DNS connection is established in response. These Encrypted DNS servers should be either internal DNS servers or trusted external DNS servers. You can only configure required DNS server evaluation types for the Connect if needed domain action.
•Required URL Probe: An HTTPS URL to probe, using a GET request. If no HTTPS response code is received from the server, an Encrypted DNS connection is established in response. You can only configure required URL probe evaluation types for the Connect if needed domain action.
- Add a value and optional description for each entry.
- Interface Type: If specified, this rule matches only if the primary network interface hardware matches the specified interface type. Choose Ethernet, Wifi, or Cellular.
- URL String Probe: A URL to probe. If this URL is successfully fetched without redirection (returning a 200 HTTPS status code), this rule matches.
- Click Save to save your domain action parameters.