AdGuardHome icon indicating copy to clipboard operation
AdGuardHome copied to clipboard
verified publisher icon AdguardTeam

Add 'exclude domains' option for .mobileconfig generator

Open RainmakerRaw opened this issue 2 years ago • 1 comments

Prerequisites

  • [X] I have checked the Wiki and Discussions and found no answer

  • [X] I have searched other issues and found no duplicates

  • [X] I want to request a feature or enhancement and not ask a question

Description

What problem are you trying to solve?

On iOS, visual voicemail (and presumably some other cell carrier services) by design expect to be resolved by and routed to the cellular provider despite any existing networks or settings. They demand this to work.

If the carrier's visual voicemail domain isn't excluded specifically from any encrypted DNS .mobileconfig, voicemail simply stops working on that phone. I discovered this after using my AGH instance for months, and receiving no voicemails (and missing some appointments!). Switching temporarily to NextDNS, I saw they allow you to exclude domains when generating the config. In my case, I excluded vvm.ee.co.uk and captive.apple.com and voicemail works again. For now, I have to manually copy over the template for excluding domains from NextDNS to AGH profiles. It would be nice to see this built in.

Proposed solution

Add an option box on the /#guide DNS privacy tab to allow the user to specify a domain(s) to be excluded from the encrypted DNS profile.

Alternatives considered

  • Switching to NextDNS.
  • Not having voicemail any more(!).

Additional information

The 'missing' section in .mobileconfig looks like this:

<key>OnDemandRules</key>
        <array>
          <dict>
            <key>Action</key>
            <string>EvaluateConnection</string>
            <key>ActionParameters</key>
            <array>
              <dict>
                <key>DomainAction</key>
                <string>NeverConnect</string>
                <key>Domains</key>
                <array>
                  <string>vvm.ee.co.uk</string>
                  <string>captive.apple.com</string>
                </array>
              </dict>
            </array>
          </dict>
          <dict>
            <key>Action</key>
            <string>Connect</string>
          </dict>
        </array>

RainmakerRaw avatar Apr 07 '23 15:04 RainmakerRaw

I encountered a significant issue while using a mobileconfig profile generated by Adguard on my iPhone. After losing cellular connectivity and reconnecting to the network, I was unable to reactivate iMessage with my phone number until I was connected to Wi-Fi. This highlights a serious limitation—there really should be a way to allow specific DNS names to bypass the VPN. Without this, Apple users face reliability issues with core services like iMessage, which can impact their ability to stay reachable. Please prioritize this work and consider sharing examples of common domains iPhone (and other mobile) users outta consider allowing the VPN to bypass so that basic mobile services work reliably. Here's a crude starting point...

# Bypass List for Apple Services, Carrier DNS, RCS, SIM Provisioning, and Related Infrastructure

# Apple Services
*.apple.com              # Apple base domain
*.icloud.com             # iCloud sync, backup
*.cdn-apple.com          # Apple CDN
*.mzstatic.com           # App Store media
*.itunes.apple.com       # iTunes services
*.push.apple.com         # APNs (push notifications)
*.apple-dns.net          # Apple DNS infrastructure

# Carrier DNS & Portals
*.myvzw.com              # Verizon customer portal
*.vzw.com                # Verizon DNS and services
*.tmomail.net            # T-Mobile SMS gateway
*.att.net                # AT&T customer and DNS services
*.sprintpcs.com          # Sprint services
*.boostmobile.com        # Boost Mobile customer portal

# RCS Providers
*.jibecloud.net          # Google Jibe RCS backend

# SIM/eSIM Provisioning
*.otgeuicc.com           # eSIM/eUICC remote provisioning

# Google Messaging & Android Connectivity
*.gstatic.com            # Google static content (Play Services, connectivity checks)
*.googleapis.com         # Google APIs (used by Android/Play Store/RCS)
*.googleusercontent.com  # Image proxies, OAuth tokens, avatars

Note: I use Tailscale as a VPN to connect to my Adguard (AGH) server and use Tailscale for my DNS settings so that I can use AGH to resolve my DNS.

Update 6/23/25: Unfortunately, when I use a mobile config generated by AdGuard on iOS, it appears to block certain Apple (and perhaps carrier services) from resolving DNS outside the VPN tunnel. As a result, iMessage fails to reconnect using my phone number after I lose and regain cellular service—unless I connect to Wi-Fi. All my blue iMessages fail to send.

However, if I remove the mobile config, iMessage reconnects over cellular as expected. This suggests the config is interfering with DNS requests which are essential for reactivating iMessage. Would be great if this did not happen. The mobile config is a nice feature of AGH but needs more rules to allow Apple to poke through.

Image

danielraffel avatar Jun 11 '25 22:06 danielraffel