How to disable DNS over HTTPS (DoH) and DNS over TLS (DoT) network-wide for Apple iOS and macOS

security network ios dns big-sur

Solution 1:

There's no similar network-wide opt-out canary domain feature for iOS and macOS in general. However, if you use for example Firefox on macOS, you can use that feature to disable it for that one browser in particular - unless the user opts-in to DoH/DoT in which case the feature does not do anything.

You can usually block DoT in your OpenWrt router by blocking outgoing port 853. You can usually block DoH by blocking port 443, however that would also mean blocking most web sites.

Note that if you do block port 853 in your router, iOS will give the user a warning that encrypted DNS is being blocked by the network!

If there's a specific DNS server (or smaller list of servers) that you do not want to be used on your network, you can block all traffic to that IP address in your OpenWrt router. Similar warnings apply.

Finally if you have control over the Apple devices yourself, you can use MDM to change their DNS settings. In particular you could for example enable DoH and point it to your own server - or point it to a server that doesn't exist - effectively disabling it.

Related

How do I make Terminal/UNIX tools to start the week on Sunday?
Homebrew - How to upgrade a HEAD forumla?
macOS Big Sur Users folder issue
The iPhone could not be updated. An unknown error occurred (4013) - Is there still a way to solve?
Unable to restore backup from iCloud in iPhone 12 pro max
What could happen if the iMac adhesive did not seal correctly at the top of the display?
Iphone: how to play a directory containing MP3 from OneDrive?
Unable to delete/resize partition with DiskUtility
Update from macOS Big Sur public Beta to official release
Magic Trackpad randomly disconnects over bluetooth from MacBook Pro 2018
Probability the three points on a circle will be on the same semi-circle [duplicate]
A logic problem. No need for calculation