Update readme, add certs dir

This commit is contained in:
Paul Miller
2026-02-27 08:08:40 +00:00
parent 82b80b56d1
commit 140fa1f6d2
6 changed files with 109 additions and 331 deletions
+53 -30
View File
@@ -2,7 +2,30 @@
# encrypted-dns-configs
Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) and [DNS over TLS](https://en.wikipedia.org/wiki/DNS_over_TLS). Check out the article for more info: [paulmillr.com/posts/encrypted-dns/](https://paulmillr.com/posts/encrypted-dns/). To add a new provider, or edit an existing one, edit json files in `src` directory.
Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) and [DNS over TLS](https://en.wikipedia.org/wiki/DNS_over_TLS). Check out the article for more info: [paulmillr.com/posts/encrypted-dns/](https://paulmillr.com/posts/encrypted-dns/). To add a new provider, or edit an existing one: see [#contributing](#contributing).
## Usage
Install / download profile (`.mobileconfig` file) from a table below. After that:
iPhones, iPads:
1. Open the file by using Safari (other browsers will just download the file and won't ask for installation)
2. Tap on "Allow" button. The profile should download.
3. Go to **System Settings => General => VPN, DNS & Device Management**, select downloaded profile and tap the "Install" button.
Mac:
1. Ensure the downloaded file has proper extension: NAME.mobileconfig, not NAME.mobileconfig.txt.
2. Choose Apple menu > System Settings, click Privacy and Security in the sidebar, then click Profiles on the right.
You may need to scroll down. You may be asked to supply your password or other information during installation.
3. In the Downloaded section, double-click the profile. Review the profile contents then click Continue, Install or Enroll to install the profile. If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones.
## Providers
Censorship (also known as "filtering") means the profile will not send true information about `hostname=IP` relation for some hosts.
<%PROVIDERS_TABLE%>
## Known issues
@@ -16,39 +39,39 @@ Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_ov
[More info](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)
4. e-dns over TOR could be better privacy-wise, but we don't have this for now.
## Usage
## Contributing
Install / download profile (`.mobileconfig` file) from a table below. After that:
- **To add / edit a profile:** edit json files in `src` directory.
- **To verify resolver IPs / hostnames:** compare mobileconfig files to their original websites (open files in a text editor).
- Check out [developer.apple.com](https://developer.apple.com/documentation/devicemanagement/dnssettings) for more docs.
- **On demand activation:** You can optionally exclude some trusted Wi-Fi networks where you don't want to use encrypted DNS. To do so, add your SSIDs in the [OnDemandRules](https://github.com/paulmillr/encrypted-dns/blob/master/profiles/template-on-demand.mobileconfig#L22-L38) section inside the `PayloadContent` dictionary of a profile.
iPhones, iPads:
### Scripts
1. Open the mobileconfig file in GitHub by using Safari (other browsers will just download the file and won't ask for installation)
2. Tap on "Allow" button. The profile should download.
3. Go to **System Settings => General => VPN, DNS & Device Management**, select downloaded profile and tap the "Install" button.
- `npm run build` - re-build profiles, signed profiles, READMEs
- `npm run sign` - re-sign all profiles (updates `signature` field) using an ECC SSL certificate.
- Signing is done using [key-producer](https://github.com/paulmillr/micro-key-producer)
- Let's Encrypt free certificates are OK, but [expire in 45 days](https://letsencrypt.org/2026/02/24/rate-limits-45-day-certs).
- Expects following files to be present in `certs` subdirectory:
Mac:
```
`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem`
```
1. Ensure the downloaded file has proper extension: NAME.mobileconfig, not NAME.mobileconfig.txt.
2. Choose Apple menu > System Settings, click Privacy and Security in the sidebar, then click Profiles on the right. (You may need to scroll down.)
3. You may be asked to supply your password or other information during installation.
4. In the Downloaded section, double-click the profile. Review the profile contents then click Continue, Install or Enroll to install the profile. If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones.
## Providers
`Censorship=yes` (also known as "filtering") means the profile will not send true information about `hostname=IP` relation for some hosts.
<%PROVIDERS_TABLE%>
## Signed Profiles
To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on [developer.apple.com](https://developer.apple.com/documentation/devicemanagement/dnssettings). In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.
## On demand activation
You can optionally exclude some trusted Wi-Fi networks where you don't want to use encrypted DNS. To do so, add your SSIDs in the [OnDemandRules](https://github.com/paulmillr/encrypted-dns/blob/master/profiles/template-on-demand.mobileconfig#L22-L38) section inside the `PayloadContent` dictionary of a profile. Note: you can't edit signed profiles.
## Contributing a new profile
To add a new provider, or edit an existing one, edit json files in `src` directory.
- `npm run new` - interactively creates new profile from CLI options. Can also be ran with flags.
- `scripts/new.test.ts` includes CLI snapshot tests and a PTY interactive flow test.
- PTY test runs by default; set `NEW_TEST_PTY=0` to opt out.
- `node scripts/sign-single.ts --ca cert.pem --priv_key key.pem [--chain chain.pem] path.mobileconfig` - sings single mobileconfig
- `node scripts/sign-single-openssl.ts --ca cert.pem --priv_key key.pem [--chain chain.pem] path.mobileconfig` Sign one `.mobileconfig` using OpenSSL.
- Uses `-nosmimecap` to match local CMS signing policy.
- `node scripts/detach.ts signed.mobileconfig` - detach CMS signature from signed profile and print PEM to stdout.
- `node test/sign-single.test.ts` - Parity check for `sign-single.ts` vs `sign-single-openssl.sh`.
- Runs under `npm run test`.
- Generates temporary test root/signer certificates and keys via OpenSSL.
- Signs the same profile with `scripts/sign.ts` and `scripts/sign_openssl.sh`.
- Verifies detached content and embedded certificate set parity.
<%PROVIDERS_LINKS%>