Apple DNS Profile Generator
Profile
Profile Name
REQUIRED
The name of this configuration profile - displayed in iOS/iPadOS/macOS Settings → VPN & Device Management.
Profile Description
This description appears when installing or viewing the configuration profile in Settings.
Profile Identifier
A unique reverse-DNS-style identifier. Leave blank to auto-generate.
Advanced Settings
Organization Name
Payload Scope
System
Applies to all users
User
Applies to current user
Payload Removal
When enabled, the profile cannot be removed by the user from Settings without an MDM command.
Disallow Removal
Prevents users from deleting this profile
DNS Configuration
DNS Name
The display name of the DNS payload shown in Settings. Leave blank to use "[Profile Name] DNS".
DNS Description
A short description for the DNS payload. Leave blank to use the default.
DNS Identifier
The identifier for the inner DNS payload. Leave blank to auto-generate.
DNS Protocol
DNS-over-HTTPS
(DoH)
Uses HTTPS on port 443, harder to block
DNS-over-TLS
(DoT)
Uses TLS on port 853, dedicated protocol
Server URL (DoH)
REQUIRED
Server Addresses
Can help with the initial connection before DNS resolution. One IPv4/IPv6 address per line.
Additional Options
DNS Failover
Fallback to unencrypted DNS provided by the network when the configured server is unreachable.
Allow Failover
Avoids internet loss on encrypted DNS failures
DNS Disablement
When enabled, users cannot disable the encrypted DNS settings. Use with caution on managed devices.
Prohibit Disablement
Prohibits disabling encrypted DNS
Network Interfaces
Use encrypted DNS with selected network interfaces. When Wi-Fi is disabled, Excluded Wi-Fi Networks is also unavailable.
Wi-Fi
Cellular
Ethernet
Excluded Domains
Disable encrypted DNS for these specified domains. One domain per line.
Excluded Wi-Fi Networks
Disable encrypted DNS on these specific Wi-Fi networks. One SSID per line.
Generate .mobileconfig