DNS Settings

A dictionary that defines a configuration for an encrypted DNS server.

An array of rules that define the DNS settings. If not set, the system always applies the DNS settings. These rules are identical to the 'OnDemandRules' array in VPN payloads.

If 'true', the system prohibits users from disabling DNS settings. This key is only available on supervised devices.

The encrypted transport protocol used to communicate with the DNS server.

An unordered list of DNS server IP address strings. These IP addresses can be a mixture of IPv4 and IPv6 addresses.

The hostname of a DNS-over-TLS server used to validate the server certificate, as defined in RFC 7858. If no 'ServerAddresses' are provided, the system uses the hostname to determine the server addresses. This key must be present only if the DNSProtocol is 'TLS'.

Depends on: DNSSettings.DNSProtocol ∈ [TLS]

The URI template of a DNS-over-HTTPS server, as defined in RFC 8484. This URL needs to use the 'https://' scheme, and the system uses the hostname or address in the URL to validate the server certificate. If no 'ServerAddresses' are provided, the system uses the hostname or address in the URL to determine the server addresses. Required if 'DNSProtocol' is 'HTTPS'.

Depends on: DNSSettings.DNSProtocol ∈ [HTTPS]

A list of domain strings used to determine which DNS queries use the DNS server. If not set, all domains use the DNS server. The system supports a single wildcard ('*') prefix, but it's not required. For example, both '*.example.com' and 'example.com' match against 'mydomain.example.com' and 'your.domain.example.com', but don't match against 'mydomain-example.com'.

If 'true', the device allows failover to the default system DNS resolver.

The UUID that points to an identity certificate payload. The system uses this identity to authenticate the user to the DNS resolver.

—

—

—

The action to take if this dictionary matches the current network. Allowed values: - 'Connect': Apply DNS Settings when the dictionary matches. - 'Disconnect': Don't apply DNS Settings when the dictionary matches. - 'EvaluateConnection': Apply DNS Settings with per-domain exceptions when the dictionary matches.

An array of dictionaries that provide per-connection rules. The system uses this array only for settings where the 'Action' value is 'EvaluateConnection'.

Depends on: OnDemandRulesElement.Action ∈ [EvaluateConnection]

An array of domain names. This rule matches if any of the domain names in the specified list matches any domain in the device's search domains list. The system supports a single wildcard ('*') prefix, but it's not required. For example, both '*.example.com' and 'example.com' match against 'mydomain.example.com' and 'your.domain.example.com', but don't match against 'mydomain-example.com'.

An array of IP addresses. This rule matches if any of the network's specified DNS servers match any entry in the array. The system supports matching with a single wildcard. For example, '17.*' matches any DNS server in the 17.0.0.0/8 subnet.

An interface type. If specified, this rule matches only if the primary network interface hardware matches the specified type.

An array of SSIDs to match against the current network. If the network isn't a Wi-Fi network or if the SSID doesn't appear in this array, the match fails. Omit this key and the corresponding array to match against any SSID.

A URL to probe. This rule matches if this URL is successfully fetched and returns a 200 HTTP status code without redirection.

A dictionary that provides per-connection rules. The keys allowed in each dictionary are described below. Note: This array is only for dictionaries in which 'EvaluateConnection' is the 'Action' value.

The DNS settings behavior for the specified domains. Allowed values: * 'NeverConnect': Don't use the DNS Settings for the specified domains. * 'ConnectIfNeeded': Allow using the DNS Settings for the specified domains.

The domains for which this evaluation applies.

—

—

—

—