diff --git a/README.cmn-CN.md b/README.cmn-CN.md
index 0a50f32..617b0da 100644
--- a/README.cmn-CN.md
+++ b/README.cmn-CN.md
@@ -47,6 +47,7 @@
| [DNS4EU Protective with child protection & ad-blocking][dns4eu-protective-child-ads] | 🇨🇿 | 是 | Operated by a consortium lead by Whalebone. Blocks Malware, Ads and explicit content | | [HTTPS][dns4eu-profile-protective-child-ads-https], [TLS][dns4eu-profile-protective-child-ads-tls] |
| [DNSPod 公共 DNS][dnspod-dns] | 🇨🇳 | 否 | 由腾讯公司 DNSPod 运营 | [HTTPS][dnspod-dns-profile-https-signed], [TLS][dnspod-dns-profile-tls-signed] | [HTTPS][dnspod-dns-profile-https], [TLS][dnspod-dns-profile-tls] |
| [FDN][fdn-dns] | 🇫🇷 | 否 | 由法国数据网络运营 | | [HTTPS][fdn-https], [TLS][fdn-tls] |
+| [FFMUC-DNS][ffmucdns] | 🇩🇪 | 否 | FFMUC free DNS servers provided by Freifunk München. | | [HTTPS][ffmuc-profile-https], [TLS][ffmuc-profile-tls] |
| [Google 公共 DNS][google-dns] | 🇺🇸 | 否 | 由谷歌公司运营 | [HTTPS][google-dns-profile-https-signed], [TLS][google-dns-profile-tls-signed] | [HTTPS][google-dns-profile-https], [TLS][google-dns-profile-tls] |
| [keweonDNS][keweondns] | 🇩🇪 | 否 | 由 Aviontex 运营,拦截广告和跟踪器 | [HTTPS][keweondns-profile-https-signed], [TLS][keweondns-profile-tls-signed] | [HTTPS][keweondns-profile-https], [TLS][keweondns-profile-tls] |
| [Mullvad DNS][mullvad-dns] | 🇸🇪 | 是 | 由 Mullvad VPN AB 运营 | [HTTPS][mullvad-dns-profile-https-signed] | [HTTPS][mullvad-dns-profile-https] |
@@ -203,6 +204,9 @@ New-Guid
[dns4eu-protective-child-ads]: https://www.joindns4.eu/for-public
[dns4eu-profile-protective-child-ads-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dns4eu-protective-child-ads-https.mobileconfig
[dns4eu-profile-protective-child-ads-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dns4eu-protective-child-ads-tls.mobileconfig
+[ffmucdns]: https://ffmuc.net/wiki/knb:dohdot_en
+[ffmuc-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/ffmucdns-https.mobileconfig
+[ffmuc-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/ffmucdns-tls.mobileconfig
[360-dns-profile-https-signed]: https://github.com/paulmillr/encrypted-dns/raw/master/signed/360-https.mobileconfig
[adguard-dns-default-profile-https-signed]: https://github.com/paulmillr/encrypted-dns/raw/master/signed/adguard-default-https.mobileconfig
[adguard-dns-default-profile-tls-signed]: https://github.com/paulmillr/encrypted-dns/raw/master/signed/adguard-default-tls.mobileconfig
diff --git a/README.cmn-TW.md b/README.cmn-TW.md
index 77ae193..795d0ea 100644
--- a/README.cmn-TW.md
+++ b/README.cmn-TW.md
@@ -47,6 +47,7 @@
| [DNS4EU Protective with child protection & ad-blocking][dns4eu-protective-child-ads] | 🇨🇿 | 是 | Operated by a consortium lead by Whalebone. Blocks Malware, Ads and explicit content | | [HTTPS][dns4eu-profile-protective-child-ads-https], [TLS][dns4eu-profile-protective-child-ads-tls] |
| [DNSPod 公共 DNS][dnspod-dns] | 🇨🇳 | 否 | 由騰訊公司 DNSPod 營運 | [HTTPS][dnspod-dns-profile-https-signed], [TLS][dnspod-dns-profile-tls-signed] | [HTTPS][dnspod-dns-profile-https], [TLS][dnspod-dns-profile-tls] |
| [FDN][fdn-dns] | 🇫🇷 | 否 | 由法國資料網路營運 | | [HTTPS][fdn-https], [TLS][fdn-tls] |
+| [FFMUC-DNS][ffmucdns] | 🇩🇪 | 否 | FFMUC free DNS servers provided by Freifunk München. | | [HTTPS][ffmuc-profile-https], [TLS][ffmuc-profile-tls] |
| [Google 公共 DNS][google-dns] | 🇺🇸 | 否 | 由谷歌公司營運 | [HTTPS][google-dns-profile-https-signed], [TLS][google-dns-profile-tls-signed] | [HTTPS][google-dns-profile-https], [TLS][google-dns-profile-tls] |
| [keweonDNS][keweondns] | 🇩🇪 | 否 | 由 Aviontex 營運,阻擋廣告和追蹤器 | [HTTPS][keweondns-profile-https-signed], [TLS][keweondns-profile-tls-signed] | [HTTPS][keweondns-profile-https], [TLS][keweondns-profile-tls] |
| [Mullvad DNS][mullvad-dns] | 🇸🇪 | 是 | 由 Mullvad VPN AB 營運 | [HTTPS][mullvad-dns-profile-https-signed] | [HTTPS][mullvad-dns-profile-https] |
@@ -203,6 +204,9 @@ New-Guid
[dns4eu-protective-child-ads]: https://www.joindns4.eu/for-public
[dns4eu-profile-protective-child-ads-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dns4eu-protective-child-ads-https.mobileconfig
[dns4eu-profile-protective-child-ads-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dns4eu-protective-child-ads-tls.mobileconfig
+[ffmucdns]: https://ffmuc.net/wiki/knb:dohdot_en
+[ffmuc-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/ffmucdns-https.mobileconfig
+[ffmuc-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/ffmucdns-tls.mobileconfig
[360-dns-profile-https-signed]: https://github.com/paulmillr/encrypted-dns/raw/master/signed/360-https.mobileconfig
[adguard-dns-default-profile-https-signed]: https://github.com/paulmillr/encrypted-dns/raw/master/signed/adguard-default-https.mobileconfig
[adguard-dns-default-profile-tls-signed]: https://github.com/paulmillr/encrypted-dns/raw/master/signed/adguard-default-tls.mobileconfig
diff --git a/README.md b/README.md
index 5efe541..36482d9 100644
--- a/README.md
+++ b/README.md
@@ -48,6 +48,7 @@ Check out [encrypted-dns over TOR](https://github.com/alecmuffett/dohot) if you
| [DNS4EU Protective with child protection & ad-blocking][dns4eu-protective-child-ads] | 🇨🇿 | Yes | Operated by a consortium lead by Whalebone. Blocks Malware, Ads and explicit content | | [HTTPS][dns4eu-profile-protective-child-ads-https], [TLS][dns4eu-profile-protective-child-ads-tls] |
| [DNSPod Public DNS][dnspod-dns] | 🇨🇳 | No | Operated by DNSPod Inc., a Tencent Cloud Company | [HTTPS][dnspod-dns-profile-https-signed], [TLS][dnspod-dns-profile-tls-signed] | [HTTPS][dnspod-dns-profile-https], [TLS][dnspod-dns-profile-tls] |
| [FDN][fdn-dns] | 🇫🇷 | No | Operated by French Data Network | | [HTTPS][fdn-https], [TLS][fdn-tls] |
+| [FFMUC-DNS][ffmucdns] | 🇩🇪 | No | FFMUC free DNS servers provided by Freifunk München. | | [HTTPS][ffmuc-profile-https], [TLS][ffmuc-profile-tls] |
| [Google Public DNS][google-dns] | 🇺🇸 | No | Operated by Google LLC | [HTTPS][google-dns-profile-https-signed], [TLS][google-dns-profile-tls-signed] | [HTTPS][google-dns-profile-https], [TLS][google-dns-profile-tls] |
| [keweonDNS][keweondns] | 🇩🇪 | No | Operated by Aviontex. Blocks ads & tracking | [HTTPS][keweondns-profile-https-signed], [TLS][keweondns-profile-tls-signed] | [HTTPS][keweondns-profile-https], [TLS][keweondns-profile-tls] |
| [Mullvad DNS][mullvad-dns] | 🇸🇪 | Yes | Operated by Mullvad VPN AB | [HTTPS][mullvad-dns-profile-https-signed] | [HTTPS][mullvad-dns-profile-https] |
@@ -217,6 +218,9 @@ New-Guid
[dns4eu-protective-child-ads]: https://www.joindns4.eu/for-public
[dns4eu-profile-protective-child-ads-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dns4eu-protective-child-ads-https.mobileconfig
[dns4eu-profile-protective-child-ads-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dns4eu-protective-child-ads-tls.mobileconfig
+[ffmucdns]: https://ffmuc.net/wiki/knb:dohdot_en
+[ffmuc-profile-https]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/ffmucdns-https.mobileconfig
+[ffmuc-profile-tls]: https://github.com/paulmillr/encrypted-dns/raw/master/profiles/ffmucdns-tls.mobileconfig
[360-dns-profile-https-signed]: https://github.com/paulmillr/encrypted-dns/raw/master/signed/360-https.mobileconfig
[adguard-dns-default-profile-https-signed]: https://github.com/paulmillr/encrypted-dns/raw/master/signed/adguard-default-https.mobileconfig
[adguard-dns-default-profile-tls-signed]: https://github.com/paulmillr/encrypted-dns/raw/master/signed/adguard-default-tls.mobileconfig
diff --git a/languages/01-en.md b/languages/01-en.md
index edfc0bf..567853b 100644
--- a/languages/01-en.md
+++ b/languages/01-en.md
@@ -11,8 +11,8 @@ Profiles are generated from easily editable `.json` files. Check out `providers`
Check out [encrypted-dns over TOR](https://github.com/alecmuffett/dohot) if you need more privacy. Known issues (we can't fix them, maybe Apple can):
- eDNS gets disabled: [Little Snitch & Lulu](https://github.com/paulmillr/encrypted-dns/issues/13), [VPN](https://github.com/paulmillr/encrypted-dns/issues/18)
-- Some traffic is exempt from eDNS: [Terminal / App Store](https://github.com/paulmillr/encrypted-dns/issues/22), [Chrome](https://github.com/paulmillr/encrypted-dns/issues/19)
-- Starting from iOS & iPadOS 15.5, [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication. This is good news.
+- Some traffic is exempt from eDNS: [Terminal / App Store](https://github.com/paulmillr/encrypted-dns/issues/22), [Chrome](https://github.com/paulmillr/encrypted-dns/issues/19) - this is bad
+- [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is good
- TLS DNS is blocked more often by ISPs than HTTPS, because TLS uses non-standard port 853, which is easy to filter out.
See [Google's article](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)
@@ -68,7 +68,9 @@ You can optionally exclude some trusted Wi-Fi networks where you don't want to u
## Contributing a new profile
-Profiles are basically text files. Copy an existing one and change its UUID, make sure you update README with new profile's info.
+Profiles are generated from easily editable `.json` files. Check out `providers` directory to add or edit a new profile.
+
+Copy an existing one and change its UUID, make sure you update README with new profile's info.
In addition to generating online, there are many other ways to generate a random UUID:
diff --git a/profiles/ffmucdns-https.mobileconfig b/profiles/ffmucdns-https.mobileconfig
new file mode 100644
index 0000000..8e64cc9
--- /dev/null
+++ b/profiles/ffmucdns-https.mobileconfig
@@ -0,0 +1,53 @@
+
+
+
+
+ PayloadContent
+
+
+ DNSSettings
+
+ DNSProtocol
+ HTTPS
+ ServerAddresses
+
+ 2001:678:e68:f000::
+ 2001:678:ed0:f000::
+ 5.1.66.255
+ 185.150.99.255
+
+ ServerURL
+ https://doh.ffmuc.net/dns-query
+
+ PayloadDescription
+ Configures device to use FFMUC-DNS Encrypted DNS over HTTPS
+ PayloadDisplayName
+ FFMUC DNS over HTTPS
+ PayloadIdentifier
+ com.apple.dnsSettings.managed.3b0c0dcc-d377-48fb-a222-019f42867461
+ PayloadType
+ com.apple.dnsSettings.managed
+ PayloadUUID
+ a9167fd8-e278-4c62-8c89-12f171617446
+ PayloadVersion
+ 1
+ ProhibitDisablement
+
+
+
+ PayloadDescription
+ Adds the FFMUC DNS to Big Sur and iOS 14 based systems
+ PayloadDisplayName
+ FFMUC Encrypted DNS over HTTPS
+ PayloadIdentifier
+ com.paulmillr.apple-dns
+ PayloadRemovalDisallowed
+
+ PayloadType
+ Configuration
+ PayloadUUID
+ f9186f3a-edbc-422e-9d3c-31956c67fd14
+ PayloadVersion
+ 1
+
+
diff --git a/profiles/ffmucdns-tls.mobileconfig b/profiles/ffmucdns-tls.mobileconfig
new file mode 100644
index 0000000..145a4be
--- /dev/null
+++ b/profiles/ffmucdns-tls.mobileconfig
@@ -0,0 +1,53 @@
+
+
+
+
+ PayloadContent
+
+
+ DNSSettings
+
+ DNSProtocol
+ TLS
+ ServerAddresses
+
+ 2001:678:e68:f000::
+ 2001:678:ed0:f000::
+ 5.1.66.255
+ 185.150.99.255
+
+ ServerName
+ dot.ffmuc.net
+
+ PayloadDescription
+ Configures device to use FFMUC-DNS Encrypted DNS over TLS
+ PayloadDisplayName
+ FFMUC DNS over TLS
+ PayloadIdentifier
+ com.apple.dnsSettings.managed.69866750-1580-4f0f-90db-bd10da1ce3df
+ PayloadType
+ com.apple.dnsSettings.managed
+ PayloadUUID
+ 35022acf-0422-4523-a0aa-41f0747037ad
+ PayloadVersion
+ 1
+ ProhibitDisablement
+
+
+
+ PayloadDescription
+ Adds the FFMUC DNS to Big Sur and iOS 14 based systems
+ PayloadDisplayName
+ FFMUC Encrypted DNS over TLS
+ PayloadIdentifier
+ com.paulmillr.apple-dns
+ PayloadRemovalDisallowed
+
+ PayloadType
+ Configuration
+ PayloadUUID
+ 386ffdff-bb84-499f-bfb4-10b4ea229ee8
+ PayloadVersion
+ 1
+
+
diff --git a/providers/36-ffmuc-dns.json b/providers/36-ffmuc-dns.json
new file mode 100644
index 0000000..53ae2ed
--- /dev/null
+++ b/providers/36-ffmuc-dns.json
@@ -0,0 +1,51 @@
+{
+ "id": "ffmucdns",
+ "profile": "ffmuc-profile",
+ "website": "https://ffmuc.net/wiki/knb:dohdot_en",
+ "region": "DE",
+ "censorship": false,
+ "names": {
+ "en": "FFMUC-DNS",
+ "cmn-CN": "FFMUC-DNS",
+ "cmn-TW": "FFMUC-DNS"
+ },
+ "notes": {
+ "en": "FFMUC free DNS servers provided by Freifunk München.",
+ "cmn-CN": "",
+ "cmn-TW": ""
+ },
+ "https": {
+ "name": "FFMUC-DNS Encrypted DNS over HTTPS",
+ "fullName": "FFMUC DNS",
+ "topName": "FFMUC Encrypted DNS over HTTPS",
+ "PayloadDisplayName": "FFMUC DNS over HTTPS",
+ "DNSProtocol": "HTTPS",
+ "ServerURLOrName": "https://doh.ffmuc.net/dns-query",
+ "ServerAddresses": [
+ "2001:678:e68:f000::",
+ "2001:678:ed0:f000::",
+ "5.1.66.255",
+ "185.150.99.255"
+ ],
+ "PayloadIdentifier": "com.apple.dnsSettings.managed.3b0c0dcc-d377-48fb-a222-019f42867461",
+ "PayloadUUID": "a9167fd8-e278-4c62-8c89-12f171617446",
+ "TopPayloadUUID": "f9186f3a-edbc-422e-9d3c-31956c67fd14"
+ },
+ "tls": {
+ "name": "FFMUC-DNS Encrypted DNS over TLS",
+ "fullName": "FFMUC DNS",
+ "topName": "FFMUC Encrypted DNS over TLS",
+ "PayloadDisplayName": "FFMUC DNS over TLS",
+ "DNSProtocol": "TLS",
+ "ServerURLOrName": "dot.ffmuc.net",
+ "ServerAddresses": [
+ "2001:678:e68:f000::",
+ "2001:678:ed0:f000::",
+ "5.1.66.255",
+ "185.150.99.255"
+ ],
+ "PayloadIdentifier": "com.apple.dnsSettings.managed.69866750-1580-4f0f-90db-bd10da1ce3df",
+ "PayloadUUID": "35022acf-0422-4523-a0aa-41f0747037ad",
+ "TopPayloadUUID": "386ffdff-bb84-499f-bfb4-10b4ea229ee8"
+ }
+}