diff --git a/README.cmn-CN.md b/README.cmn-CN.md
index 1ccea16..3377d83 100644
--- a/README.cmn-CN.md
+++ b/README.cmn-CN.md
@@ -19,7 +19,7 @@
“`审查=是`”表示描述文件不会发送某些主机“`主机名=IP`”关系的真实信息。
-| 名称 | 区域 | 审查 | 备注 | 安装 (已签名 - 推荐) | 安装 (未签名) |
+| 名称 | 区域 | 审查 | 备注 | 安装 | 安装 (未签名) |
| ------------------------------------------------------------------------------------ | ----- | ---- | ------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| [360 安全 DNS][360-dns] | 🇨🇳 | 是 | 由 360 数字安全集团运营 | [HTTPS][360-dns-profile-https-signed] | [HTTPS][360-dns-profile-https] |
| [AdGuard DNS 默认][adguard-dns-default] | 🇷🇺 | 是 | 由 AdGuard 运营,拦截广告、跟踪器和钓鱼网站 | [HTTPS][adguard-dns-default-profile-https-signed], [TLS][adguard-dns-default-profile-tls-signed] | [HTTPS][adguard-dns-default-profile-https], [TLS][adguard-dns-default-profile-tls] |
diff --git a/README.md b/README.md
index b3f9401..74b8bfc 100644
--- a/README.md
+++ b/README.md
@@ -6,26 +6,23 @@ Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_ov
To add a new provider, or edit an existing one, edit json files in `src` directory.
-### Caveats
+### Known issues
-Known issues (we can't fix them, maybe Apple can):
-
-1. Applications (e.g. Firefox in specific regions; App Store in all regions) can choose to ignore the system-level resolver and use their own.
- [Check out the discussion](https://github.com/paulmillr/encrypted-dns/issues/22).
-2. iCloud Private Relay, VPN clients & Little Snitch / LuLu will ignore the DNS profile.
-3. Command line tools that interact with DNS (e.g. `host`, `dig`, `nslookup`) won't use DoH -
- will use the DNS severs set in Network, or picked up from DHCP.
-4. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is good
-5. TLS DNS is blocked more often by ISPs than HTTPS, because TLS uses non-standard port 853, which is easy to block.
- See [Google's article](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)
-
-Check out [encrypted-dns over TOR](https://github.com/alecmuffett/dohot) if you need more privacy.
+1. Some apps and protocols will ignore encrypted-dns:
+ - Firefox in specific regions, App Store in all regions. [More info](https://github.com/paulmillr/encrypted-dns/issues/22)
+ - iCloud Private Relay, VPN clients
+ - Little Snitch, LuLu
+ - DNS-related CLI tools: `host`, `dig`, `nslookup` etc.
+2. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is ok
+3. TLS DNS is easier for providers to block, because it uses non-standard port 853.
+ [More info](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)
+4. e-dns over TOR could be better privacy-wise, but we don't have this for now.
## Providers
`Censorship=yes` (also known as "filtering") means the profile will not send true information about `hostname=IP` relation for some hosts.
-| Name | Region | Censorship | Notes | Install (Signed - Recommended) | Install (unsigned) |
+| Name | Region | Censorship | Notes | Install | Install (unsigned) |
| ------------------------------------------------------------------------------------ | ------ | ---------- | --------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------- |
| [360 Security DNS][360-dns] | 🇨🇳 | Yes | Operated by 360 Digital Security Group | [HTTPS][360-dns-profile-https-signed] | [HTTPS][360-dns-profile-https] |
| [AdGuard DNS Default][adguard-dns-default] | 🇷🇺 | Yes | Operated by AdGuard Software Ltd. Blocks ads, tracking & phishing | [HTTPS][adguard-dns-default-profile-https-signed], [TLS][adguard-dns-default-profile-tls-signed] | [HTTPS][adguard-dns-default-profile-https], [TLS][adguard-dns-default-profile-tls] |
@@ -81,28 +78,8 @@ macOS [(official docs)](https://support.apple.com/guide/mac-help/mh35561/):
If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones.
-## Scope
-
-There seems to be an [additional option](https://github.com/paulmillr/encrypted-dns/issues/22) that allows to use system-wide profiles. To try it, add this to mobileconfig file:
-
-```xml
-PayloadScope
-System
-```
-
## Signed Profiles
-In the `signed` folder we have signed versions of the profiles in this repository. These profiles have been signed by [@Xernium](https://github.com/Xernium) so that when you install the profiles,
-they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little.
-The signature is valid until `2025-11-02`
-
-Previous signatures by:
-[@Xernium](https://github.com/Xernium), replaced at `2024-11-01`
-
-[@Candygoblen123](https://github.com/Candygoblen123), replaced at `2023-11-29`
-
-[comment]: <> (We recommend that you install a signed profile instead of an unsigned profile because it ensures that it was not modified while it was downloading.)
-
To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on [developer.apple.com](https://developer.apple.com/documentation/devicemanagement/dnssettings). In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.
## On demand activation
diff --git a/generate.js b/generate.js
index 6f2afa5..7b322b6 100644
--- a/generate.js
+++ b/generate.js
@@ -2,8 +2,8 @@
const fs = require('node:fs');
const path = require('node:path');
-const LANGUAGES_DIR = path.join(__dirname, 'languages');
-const PROVIDERS_PATH = path.join(__dirname, 'providers');
+const LANGUAGES_DIR = path.join(__dirname, 'src-languages');
+const PROVIDERS_PATH = path.join(__dirname, 'src');
const DEFAULT_LANG = 'en';
const OUTPUT_DIR = __dirname;
const REPO_RAW = 'https://github.com/paulmillr/encrypted-dns/raw/master';
@@ -260,8 +260,8 @@ function generateConfigs() {
}
// Small utility to rewrite config structure
function patchConfigs() {
- for (const f of fs.readdirSync(`./providers/`)) {
- const path = `./providers/${f}`;
+ for (const f of fs.readdirSync(`./src/`)) {
+ const path = `./src/${f}`;
const json = JSON.parse(fs.readFileSync(path, 'utf8'));
fs.writeFileSync(path, JSON.stringify(json, null, 4));
}
diff --git a/src-languages/01-en.json b/src-languages/01-en.json
index 004e7fb..b62be4e 100644
--- a/src-languages/01-en.json
+++ b/src-languages/01-en.json
@@ -6,7 +6,7 @@
"region": "Region",
"censorship": "Censorship",
"notes": "Notes",
- "install_signed": "Install (Signed - Recommended)",
+ "install_signed": "Install",
"install_unsigned": "Install (unsigned)"
},
"yes": "Yes",
diff --git a/src-languages/01-en.md b/src-languages/01-en.md
index 18fdef6..51ef9b3 100644
--- a/src-languages/01-en.md
+++ b/src-languages/01-en.md
@@ -6,20 +6,17 @@ Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_ov
To add a new provider, or edit an existing one, edit json files in `src` directory.
-### Caveats
+### Known issues
-Known issues (we can't fix them, maybe Apple can):
-
-1. Applications (e.g. Firefox in specific regions; App Store in all regions) can choose to ignore the system-level resolver and use their own.
- [Check out the discussion](https://github.com/paulmillr/encrypted-dns/issues/22).
-2. iCloud Private Relay, VPN clients & Little Snitch / LuLu will ignore the DNS profile.
-3. Command line tools that interact with DNS (e.g. `host`, `dig`, `nslookup`) won't use DoH -
- will use the DNS severs set in Network, or picked up from DHCP.
-4. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is good
-5. TLS DNS is blocked more often by ISPs than HTTPS, because TLS uses non-standard port 853, which is easy to block.
- See [Google's article](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)
-
-Check out [encrypted-dns over TOR](https://github.com/alecmuffett/dohot) if you need more privacy.
+1. Some apps and protocols will ignore encrypted-dns:
+ - Firefox in specific regions, App Store in all regions. [More info](https://github.com/paulmillr/encrypted-dns/issues/22)
+ - iCloud Private Relay, VPN clients
+ - Little Snitch, LuLu
+ - DNS-related CLI tools: `host`, `dig`, `nslookup` etc.
+2. [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is ok
+3. TLS DNS is easier for providers to block, because it uses non-standard port 853.
+ [More info](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)
+4. e-dns over TOR could be better privacy-wise, but we don't have this for now.
## Providers
@@ -43,28 +40,8 @@ macOS [(official docs)](https://support.apple.com/guide/mac-help/mh35561/):
If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones.
-## Scope
-
-There seems to be an [additional option](https://github.com/paulmillr/encrypted-dns/issues/22) that allows to use system-wide profiles. To try it, add this to mobileconfig file:
-
-```xml
-PayloadScope
-System
-```
-
## Signed Profiles
-In the `signed` folder we have signed versions of the profiles in this repository. These profiles have been signed by [@Xernium](https://github.com/Xernium) so that when you install the profiles,
-they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little.
-The signature is valid until `2025-11-02`
-
-Previous signatures by:
-[@Xernium](https://github.com/Xernium), replaced at `2024-11-01`
-
-[@Candygoblen123](https://github.com/Candygoblen123), replaced at `2023-11-29`
-
-[comment]: <> (We recommend that you install a signed profile instead of an unsigned profile because it ensures that it was not modified while it was downloading.)
-
To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on [developer.apple.com](https://developer.apple.com/documentation/devicemanagement/dnssettings). In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.
## On demand activation
diff --git a/src-languages/02-cmn-CN.json b/src-languages/02-cmn-CN.json
index 2d06fc3..47afc82 100644
--- a/src-languages/02-cmn-CN.json
+++ b/src-languages/02-cmn-CN.json
@@ -6,7 +6,7 @@
"region": "区域",
"censorship": "审查",
"notes": "备注",
- "install_signed": "安装 (已签名 - 推荐)",
+ "install_signed": "安装",
"install_unsigned": "安装 (未签名)"
},
"yes": "是",