Post

Replies

Boosts

Views

Activity

mobileconfig: OnDemandRules URLStringProbe doesn’t work in DNSSettings for iOS 18
Opening a fresh post as the other seem old/abandoned. I’m trying to add a fail-safe URLprobe to DNS setting profile (DNS over http) for the case that the iPhone/iPad connects to a wifi hotspot with captive portal without internet access. I use OnDemandRules to circumvent known problematic SSID names a specific (wildcard) domains - both working just fine and the requests are falling-back to a system resolver for such a requests. I’ve added a URLStringProbe which supposed to check availability of the internet. The probe should trigger on 200 OK response code and use the DNSSettings or fallback to a system resolver in the case of any other outcome, according to the documentation: A URL to probe. If this URL is successfully fetched (returning a 200 HTTP status code) without redirection, this rule matches. https://developer.apple.com/documentation/devicemanagement/dnssettings/ondemandruleselement https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf Tested on iPhone 14 (iOS 18.1) but it doesn’t work. I’m using Clouflare https://1.1.1.1/index.html for the sake of simplicity and do some adjustment in IP/path for testing purposes using https to enforce TLS (to avoid hijack/MitM from a captive portal) using a direct IP (in this case Cloudflare) so I don't need to resolve a domain to execute the probe itself Anyway, I’ve changed the URL for a testing purposes to return either 404, redirect or timeout and in all cases cases the probe acts the same way like for 200 OK response. My expectation is that probe should test negative and go to next rule which is <key>Action</key> <string>Disconnect</string> and thus use the system resolver which will allow the system to detect a captive portal and display sign-in popup to the captive portal Any idea where might be the issue? Example 1 - with all rules <key>DNSSettings</key> <dict> <key>DNSProtocol</key> <string>HTTPS</string> <key>ServerURL</key> <string>https://dnsserverexample.com/v1/something/id/dns-query</string> <key>ServerAddresses</key> <array/> <key>SupplementalMatchDomains</key> <array/> </dict> <key>ProhibitDisablement</key> <true/> <key>OnDemandRules</key> <array> <dict> <key>Action</key> <string>Disconnect</string> <key>SSIDMatch</key> <array> <string>whitelistedSSID1</string> <string>whitelistedSSID1</string> </array> </dict> <dict> <key>Action</key> <string>EvaluateConnection</string> <key>ActionParameters</key> <array> <dict> <key>DomainAction</key> <string>NeverConnect</string> <key>Domains</key> <array> <string>*.whitelisteddomainexample.com</string> <string>*.whitelisteddomainexample2.com</string> </array> </dict> </array> </dict> <dict> <key>URLStringProbe</key> <string>https://1.1.1.1/index.html</string> <key>Action</key> <string>Connect</string> </dict> <dict> <key>Action</key> <string>Disconnect</string> </dict> </array> </dict> Example 2 - just URL probe and fail-open for iphone <key>DNSSettings</key> <dict> <key>DNSProtocol</key> <string>HTTPS</string> <key>ServerURL</key> <string>https://dnsserverexample.com/v1/something/id/dns-query</string> <key>ServerAddresses</key> <array/> <key>SupplementalMatchDomains</key> <array/> </dict> <key>ProhibitDisablement</key> <true/> <key>OnDemandRules</key> <array> <dict> <key>URLStringProbe</key> <string>https://1.1.1.1/index.html</string> <key>Action</key> <string>Connect</string> </dict> <dict> <key>Action</key> <string>Disconnect</string> </dict> </array> Also I’ve tried to debug similar issue in the past on MacOS. I’ve tried to add debug profiles NetworkDiagnostic.mobileconfig and mDNSResponder.mobileconfig but I don't see any logs related to OnDemandRules processing - any clue how to get some insight into the rules processing/evaluation?
0
0
263
Sep ’24