Locking down iOS to prevent DNS changes
Forums › Service Issues › Setups & Configurations › Locking down iOS to prevent DNS changes
-
Hello,
I see the CleanBrowsing has an app to easily set DNS on iOS device, like my child’s. And there’s a passcode that prevents changing the DNS settings — through the CleanBrowsing app. But, I think it wouldn’t be that hard for a child to Google and find out how to change the DNS settings directly through the iOS network settings. Is there a way to lock that down? Maybe through MDM, if not through restrictions/screentime? I didn’t see anything in screentime nor restrictions.
Thank you,
Notre
Even if he changes the DNS directly on the Settings, it would not override the App. We create a VPN and force all DNS requests through the App.
thanks!
Hi Daniel,
Thanks for your reply!
That’s interesting. But if I’m not mistaken, my child can just delete the VPN profile, right? If that is true (which looks to be the case), is there some way I’d know if the VPN profile was deleted, aside from frequently looking at the device?
Thank you,
Notre
This is maybe possible to prevent in mobile devices but how can we restrict changing DNS on laptops and computers? That’s quite obvious that this app only changes the DNS setting it’s just a click away to change it back to default. Is there anyway we can prevent this?
I can answer that one, I think. Provided the laptop or computer your user (presumably child) uses, has a separate account that does not have administrative rights, they won’t be able to change the DNS. A second account on your PC has admin rights, and it’s there that you set the DNS to cleanbrowsing.org’s DNS. That’s what I did for my childrens’ devices.
I can help you with that, I was also looking for a solution 🙂
You can lock the DNS settings by enabling “Require an administrator password to access system-wide preferences” in the system preferences: https://mongeit.consulting/mac-security-settings/
I am afraid to say this is no small task. Your best option is to use configuration profiles. I suggest setting them up through Apple Configurator 2 on a Mac. Otherwise you would have to tinker around with the XML syntax of the profiles. You will want to set the device as a supervised device to have the most control. That requires wiping the device I believe.
Once you have a supervised device there are some great restriction settings for app and website whitelists: prevention of installing or removing configuration profiles, prevention of Erase All Content and Settings. You can prevent installation of VPNs.
Now to your question, unfortunately, the only current way to force DNS settings on WiFi AND Cell is to implement an IKEV2 VPN on the iPhone and force it through the configuration profile. This is called an Always On VPN. These cannot be uninstalled or toggled off in any way. Don’t get them confused with the auto connect VPNs. What is annoying is that no VPN services I found out there had an IKEV2 profile that I could configure on the iPhone. I ended up creating my own and hosting it on Digital Ocean for about $5 a month. Definitely a pain. Especially for anyone not experienced with tech. Now, what is super annoying is that I had issues with WiFi calling and connection to an Apple Watch.
Long story short, Apple does not provide the kind of customization that is needed to create a properly restricted device. They don’t even allow app developers that customization either. Even pushing Apple’s configuration profiles to the limit, you are still going to run into technical issues and lack of documentation. I am making the switch to Android after battling for a long time to get iOS to where I was satisfied with their native restriction offerings. If you are set on Apple, an IKEV2 VPN forced into an Always On connection through a configuration profile is your only option.
I was going to create a new thread, but this one is applicable.
I have been using a paid ClearBrowsing account for a while now, but I’m new to the forums. I went through the documentation to use DNSCloak on my family’s iOS devices, which seems to ensure the kiddos cannot deactivate the VPN or delete the app (with the appropriate settings in place both in the DNS app and ScreenTime settings).
However I saw the CleanBrowsing app out there, which is much more user friendly than the DNSCloak app. I tried it on my personal phone but saw that I could deactivate the VPN with a button click. Will that app add the same capability as DNSCloak to force the VPN to always be “on”?
DNSCloak can actually be easily disabled in the same way that the iOS CleanBrowsing app can. From the VPN settings. It is a limitation of iOS. The only way currently is to use a configuration profile on a supervised device. Current approaches by accountability apps are to send an alert when the VPN is disabled. I have switched to Android and have been very happy so far with the capabilities of enforcing DNS etc.
Explain how DNSCloak is easily bypassed. I have restrictions set where the kids can’t delete the app. Then inside the app, it’s set to auto connect. It reconnects automatically even if they click to disable VPN. Lastly there is a passcode on the app that they don’t know so they can’t disable from the app.
There may be a way yet to disable, but I wouldn’t call it easy. I don’t know how to disable it myself without either deleting the app (which they can’t do) or stopping from inside the app (which they can’t do)
@kingHolly
Thanks for the info!
Can you give us any hints on creating that IKEV2 VPN profile. Any help would be appreciated. I really need to lock cleanbrowsing family on an iphone.
I tried extracting DNScloak’s configuration profile to use with the apple configurator but I failed as apple configurator didn’t show VPN configurations.Thanks.
@kingHolly
You said you have no problems with enforcing DNS on android. I personally use a DNS changer app + app lock. Do you know a better method?
Thanks
The only way I know of to lock a VPN profile onto an iOS device is by using configurator.app and setting the phone in supervised mode. Let me tell you: it is a pain in the neck.
As far as a desktop is concerned, I found the best way to do this is at the router. I use an ASUS RT-AC68 with the 3rd party Merlin firmware installed (based on dd-wrt). by following this guide you can enforce safe search on every device connected to your network.
I hope this helps.
You must be logged in to reply to this topic.