Locking down iOS to prevent DNS changes

Forums Service Issues Setups & Configurations Locking down iOS to prevent DNS changes

  • April 17, 2020 at 3:34 am

    Hello,

     

    I see the CleanBrowsing has an app to easily set DNS on iOS device, like my child’s.  And there’s a passcode that prevents changing the DNS settings — through the CleanBrowsing app.  But, I think it wouldn’t be that hard for a child to Google and find out how to change the DNS settings directly through the iOS network settings.  Is there a way to lock that down?  Maybe through MDM, if not through restrictions/screentime?  I didn’t see anything in screentime nor restrictions.

     

    Thank you,

    Notre

    April 19, 2020 at 5:29 pm

    Even if he changes the DNS directly on the Settings, it would not override the App. We create a VPN and force all DNS requests through the App.

    thanks!

    April 20, 2020 at 12:25 am

    Hi Daniel,

    Thanks for your reply!

    That’s interesting.  But if I’m not mistaken, my child can just delete the VPN profile, right?  If that is true (which looks to be the case), is there some way I’d know if the VPN profile was deleted, aside from frequently looking at the device?

    Thank you,

    Notre

    April 27, 2020 at 8:53 am

    This is maybe possible to prevent in mobile devices but how can we restrict changing DNS on laptops and computers? That’s quite obvious that this app only changes the DNS setting it’s just a click away to change it back to default. Is there anyway we can prevent this?

    April 27, 2020 at 3:40 pm

    I can answer that one, I think.  Provided the laptop or computer your user (presumably child) uses, has a separate account that does not have administrative rights, they won’t be able to change the DNS.  A second account on your PC has admin rights, and it’s there that you set the DNS to cleanbrowsing.org’s DNS.  That’s what I did for my childrens’ devices.

    May 3, 2020 at 1:40 pm

    I think you are talking about Windows here. Any idea about Mac OS?

    May 4, 2020 at 11:04 am

    I can help you with that, I was also looking for a solution 🙂

    You can lock the DNS settings by enabling “Require an administrator password to access system-wide preferences” in the system preferences: https://mongeit.consulting/mac-security-settings/

    May 11, 2020 at 6:23 pm

    Thanks Peter. I think that will help me with that.

    June 25, 2020 at 4:39 am

    I am afraid to say this is no small task. Your best option is to use configuration profiles. I suggest setting them up through Apple Configurator 2 on a Mac. Otherwise you would have to tinker around with the XML syntax of the profiles. You will want to set the device as a supervised device to have the most control. That requires wiping the device I believe.

    Once you have a supervised device there are some great restriction settings for app and website whitelists: prevention of installing or removing configuration profiles, prevention of Erase All Content and Settings. You can prevent installation of VPNs.

    Now to your question, unfortunately, the only current way to force DNS settings on WiFi AND Cell is to implement an IKEV2 VPN on the iPhone and force it through the configuration profile. This is called an Always On VPN. These cannot be uninstalled or toggled off in any way. Don’t get them confused with the auto connect VPNs. What is annoying is that no VPN services I found out there had an IKEV2 profile that I could configure on the iPhone. I ended up creating my own and hosting it on Digital Ocean for about $5 a month. Definitely a pain. Especially for anyone not experienced with tech. Now, what is super annoying is that I had issues with WiFi calling and connection to an Apple Watch.

    Long story short, Apple does not provide the kind of customization that is needed to create a properly restricted device. They don’t even allow app developers that customization either. Even pushing Apple’s configuration profiles to the limit, you are still going to run into technical issues and lack of documentation. I am making the switch to Android after battling for a long time to get iOS to where I was satisfied with their native restriction offerings. If you are set on Apple, an IKEV2 VPN forced into an Always On connection through a configuration profile is your only option.

    July 15, 2020 at 1:56 pm

    I was going to create a new thread, but this one is applicable.

    I have been using a paid ClearBrowsing account for a while now, but I’m new to the forums. I went through the documentation to use DNSCloak on my family’s iOS devices, which seems to ensure the kiddos cannot deactivate the VPN or delete the app (with the appropriate settings in place both in the DNS app and ScreenTime settings).

    However I saw the CleanBrowsing app out there, which is much more user friendly than the DNSCloak app. I tried it on my personal phone but saw that I could deactivate the VPN with a button click. Will that app add the same capability as DNSCloak to force the VPN to always be “on”?

    July 16, 2020 at 5:46 am

    DNSCloak can actually be easily disabled in the same way that the iOS CleanBrowsing app can. From the VPN settings. It is a limitation of iOS. The only way currently is to use a configuration profile on a supervised device. Current approaches by accountability apps are to send an alert when the VPN is disabled. I have switched to Android and have been very happy so far with the capabilities of enforcing DNS etc.

    July 16, 2020 at 11:48 am

    Explain how DNSCloak is easily bypassed. I have restrictions set where the kids can’t delete the app. Then inside the app, it’s set to auto connect. It reconnects automatically even if they click to disable VPN. Lastly there is a passcode on the app that they don’t know so they can’t disable from the app.

    There may be a way yet to disable, but I wouldn’t call it easy. I don’t know how to disable it myself without either deleting the app (which they can’t do) or stopping from inside the app (which they can’t do)

    August 10, 2020 at 8:56 pm

    @kingHolly

    Thanks for the info!

    Can you give us any hints on creating that IKEV2 VPN profile. Any help would be appreciated. I really need to lock cleanbrowsing family on an iphone.
    I tried extracting DNScloak’s configuration profile to use with the apple configurator but I failed as apple configurator didn’t show VPN configurations.

    Thanks.

    August 11, 2020 at 10:24 am

    @kingHolly

    You said you have no problems with enforcing DNS on android. I personally use a DNS changer app + app lock. Do you know a better method?

    Thanks

    September 23, 2020 at 4:30 am

    The only way I know of to lock a VPN profile onto an iOS device is by using configurator.app and setting the phone in supervised mode. Let me tell you: it is a pain in the neck.

    As far as a desktop is concerned, I found the best way to do this is at the router. I use an ASUS RT-AC68 with the 3rd party Merlin firmware installed (based on dd-wrt). by following this guide you can enforce safe search on every device connected to your network.

    I hope this helps.