Use DNS-over-HTTPS/TLS configuration profiles (iOS, iPadOS, macOS)

[aniqueta]

I have checked if others have suggested this already

• I have checked this issue tracker to see if others have reported similar issues.

Feature description

This is similar to, but not quite, the same as #3689

While Mullvad offers its own ad and tracker blocking DNS, users may want greater customization of what to block and/or custom DNS resolution to use for private resources. In those cases, users may setup their own DNS using DNS-over-HTTPS or -TLS.

On macOS and iOS/iPadOS, one can use both a VPN and a DNS configuration profile for DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) if one configures the VPN application to use the OS DNS resolver, per the following:

1. Set 0.0.0.0/32 and ::/128 as the DNS server in the VPN application
2. Disallow those IPs from the VPN, which would make the following the allowed IPs

0.0.0.1/32, 0.0.0.2/31, 0.0.0.4/30, 0.0.0.8/29, 0.0.0.16/28, 0.0.0.32/27, 0.0.0.64/26, 0.0.0.128/25, 0.0.1.0/24, 0.0.2.0/23, 0.0.4.0/22, 0.0.8.0/21, 0.0.16.0/20, 0.0.32.0/19, 0.0.64.0/18, 0.0.128.0/17, 0.1.0.0/16, 0.2.0.0/15, 0.4.0.0/14, 0.8.0.0/13, 0.16.0.0/12, 0.32.0.0/11, 0.64.0.0/10, 0.128.0.0/9, 1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6, 8.0.0.0/5, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1, ::1/128, ::2/127, ::4/126, ::8/125, ::10/124, ::20/123, ::40/122, ::80/121, ::100/120, ::200/119, ::400/118, ::800/117, ::1000/116, ::2000/115, ::4000/114, ::8000/113, ::0.1.0.0/112, ::0.2.0.0/111, ::0.4.0.0/110, ::0.8.0.0/109, ::0.16.0.0/108, ::0.32.0.0/107, ::0.64.0.0/106, ::0.128.0.0/105, ::1.0.0.0/104, ::2.0.0.0/103, ::4.0.0.0/102, ::8.0.0.0/101, ::16.0.0.0/100, ::32.0.0.0/99, ::64.0.0.0/98, ::128.0.0.0/97, ::1:0:0/96, ::2:0:0/95, ::4:0:0/94, ::8:0:0/93, ::10:0:0/92, ::20:0:0/91, ::40:0:0/90, ::80:0:0/89, ::100:0:0/88, ::200:0:0/87, ::400:0:0/86, ::800:0:0/85, ::1000:0:0/84, ::2000:0:0/83, ::4000:0:0/82, ::8000:0:0/81, ::1:0:0:0/80, ::2:0:0:0/79, ::4:0:0:0/78, ::8:0:0:0/77, ::10:0:0:0/76, ::20:0:0:0/75, ::40:0:0:0/74, ::80:0:0:0/73, ::100:0:0:0/72, ::200:0:0:0/71, ::400:0:0:0/70, ::800:0:0:0/69, ::1000:0:0:0/68, ::2000:0:0:0/67, ::4000:0:0:0/66, ::8000:0:0:0/65, 0:0:0:1::/64, 0:0:0:2::/63, 0:0:0:4::/62, 0:0:0:8::/61, 0:0:0:10::/60, 0:0:0:20::/59, 0:0:0:40::/58, 0:0:0:80::/57, 0:0:0:100::/56, 0:0:0:200::/55, 0:0:0:400::/54, 0:0:0:800::/53, 0:0:0:1000::/52, 0:0:0:2000::/51, 0:0:0:4000::/50, 0:0:0:8000::/49, 0:0:1::/48, 0:0:2::/47, 0:0:4::/46, 0:0:8::/45, 0:0:10::/44, 0:0:20::/43, 0:0:40::/42, 0:0:80::/41, 0:0:100::/40, 0:0:200::/39, 0:0:400::/38, 0:0:800::/37, 0:0:1000::/36, 0:0:2000::/35, 0:0:4000::/34, 0:0:8000::/33, 0:1::/32, 0:2::/31, 0:4::/30, 0:8::/29, 0:10::/28, 0:20::/27, 0:40::/26, 0:80::/25, 0:100::/24, 0:200::/23, 0:400::/22, 0:800::/21, 0:1000::/20, 0:2000::/19, 0:4000::/18, 0:8000::/17, 1::/16, 2::/15, 4::/14, 8::/13, 10::/12, 20::/11, 40::/10, 80::/9, 100::/8, 200::/7, 400::/6, 800::/5, 1000::/4, 2000::/3, 4000::/2, 8000::/1

This approach works using the stock Wireguard app on both macOS and iOS/iPadOS.

I have tried Step 1 in the Mullvad app, and it does not appear to work, since there is no way to do Step 2.

Alternative solutions

Naturally, since this works using the Wireguard application, one can manually configure Mullvad VPNs in the Wireguard using this approach. However, this makes things less user friendly. For example, one cannot change Mullvad servers and locations very easily. It also takes up one of the five clients that Mullvad allows, limiting the use of the official Mullvad app in other situations.

Type of feature

• Better privacy/anonymity
• Better at circumventing censorship
• Easier to use
• Other

Operating System

• Android
• iOS
• Windows
• macOS
• Linux

[fritz-fritz]

Really want this, have been using the WireGuard app to accomplish this but now that quantum tunnels and obfuscation are available in the Mullvad App it is tempting to switch. Occasionally I have need to join networks that are hostile to VPNs but work with obfuscation.

Please let me control the allowed/disallowed IP ranges! Even if it’s buried as an advanced feature, it is extremely useful!

[drpoutine]

Please let me control the allowed/disallowed IP ranges! Even if it’s buried as an advanced feature, it is extremely useful!

would like to +1 this as well. sometimes in airplanes you have to disable to disable mullvad entirely in order to allow the captive portal to load. would be awesome to see if we can whitelist a domain/ip range in the app for both ios/macos

love the mullvad app thou. wouldnt even mind if its buried in advanced features

[aniqueta]

Just wanted to follow and see if this feature is planned? Given issues with using local DNS in app, this could be also a solution for that, while enabling use of custom DoH/DoT. Thanks.

[Rawa]

Just doing some chores here, we've moved to discussions. I'm going to close this issue and consolidate it into the very similar one for DoH & DoT #9121

[fritz-fritz]

@Rawa regardless of the move to discussions, I would once again point out that this is in fact a separate feature request than the linked discussion. We are asking for the ability to choose the allowed ips for routing.

Typically this is for excluding 0.0.0.0 and ::1 from the allowed ip range so that these special ips can be configured to be used to allow local dns outside the tunnel which is very useful for users with complex dns needs.

It also would allow users to have fine grained control for subnet routing where multiple subnets could be considered local and should be excluded from the tunnel.

These are basic functionality of the WireGuard protocol and would be fantastic to see implemented in the app.

[Rawa]

Note taken. I've re-opened it and moved it to discussions.