[Feature request] Use DNS-over-HTTPS/TLS configuration profiles (iOS, iPadOS, macOS)

[aniqueta]

I have checked if others have suggested this already

• I have checked this issue tracker to see if others have reported similar issues.

Feature description

This is similar to, but not quite, the same as #3689

While Mullvad offers its own ad and tracker blocking DNS, users may want greater customization of what to block and/or custom DNS resolution to use for private resources. In those cases, users may setup their own DNS using DNS-over-HTTPS or -TLS.

On macOS and iOS/iPadOS, one can use both a VPN and a DNS configuration profile for DNS-over-HTTPS (DoH) or DNS-over-TLS (DoT) if one configures the VPN application to use the OS DNS resolver, per the following:

1. Set 0.0.0.0/32 and ::/128 as the DNS server in the VPN application
2. Disallow those IPs from the VPN, which would make the following the allowed IPs

0.0.0.1/32, 0.0.0.2/31, 0.0.0.4/30, 0.0.0.8/29, 0.0.0.16/28, 0.0.0.32/27, 0.0.0.64/26, 0.0.0.128/25, 0.0.1.0/24, 0.0.2.0/23, 0.0.4.0/22, 0.0.8.0/21, 0.0.16.0/20, 0.0.32.0/19, 0.0.64.0/18, 0.0.128.0/17, 0.1.0.0/16, 0.2.0.0/15, 0.4.0.0/14, 0.8.0.0/13, 0.16.0.0/12, 0.32.0.0/11, 0.64.0.0/10, 0.128.0.0/9, 1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6, 8.0.0.0/5, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1, ::1/128, ::2/127, ::4/126, ::8/125, ::10/124, ::20/123, ::40/122, ::80/121, ::100/120, ::200/119, ::400/118, ::800/117, ::1000/116, ::2000/115, ::4000/114, ::8000/113, ::0.1.0.0/112, ::0.2.0.0/111, ::0.4.0.0/110, ::0.8.0.0/109, ::0.16.0.0/108, ::0.32.0.0/107, ::0.64.0.0/106, ::0.128.0.0/105, ::1.0.0.0/104, ::2.0.0.0/103, ::4.0.0.0/102, ::8.0.0.0/101, ::16.0.0.0/100, ::32.0.0.0/99, ::64.0.0.0/98, ::128.0.0.0/97, ::1:0:0/96, ::2:0:0/95, ::4:0:0/94, ::8:0:0/93, ::10:0:0/92, ::20:0:0/91, ::40:0:0/90, ::80:0:0/89, ::100:0:0/88, ::200:0:0/87, ::400:0:0/86, ::800:0:0/85, ::1000:0:0/84, ::2000:0:0/83, ::4000:0:0/82, ::8000:0:0/81, ::1:0:0:0/80, ::2:0:0:0/79, ::4:0:0:0/78, ::8:0:0:0/77, ::10:0:0:0/76, ::20:0:0:0/75, ::40:0:0:0/74, ::80:0:0:0/73, ::100:0:0:0/72, ::200:0:0:0/71, ::400:0:0:0/70, ::800:0:0:0/69, ::1000:0:0:0/68, ::2000:0:0:0/67, ::4000:0:0:0/66, ::8000:0:0:0/65, 0:0:0:1::/64, 0:0:0:2::/63, 0:0:0:4::/62, 0:0:0:8::/61, 0:0:0:10::/60, 0:0:0:20::/59, 0:0:0:40::/58, 0:0:0:80::/57, 0:0:0:100::/56, 0:0:0:200::/55, 0:0:0:400::/54, 0:0:0:800::/53, 0:0:0:1000::/52, 0:0:0:2000::/51, 0:0:0:4000::/50, 0:0:0:8000::/49, 0:0:1::/48, 0:0:2::/47, 0:0:4::/46, 0:0:8::/45, 0:0:10::/44, 0:0:20::/43, 0:0:40::/42, 0:0:80::/41, 0:0:100::/40, 0:0:200::/39, 0:0:400::/38, 0:0:800::/37, 0:0:1000::/36, 0:0:2000::/35, 0:0:4000::/34, 0:0:8000::/33, 0:1::/32, 0:2::/31, 0:4::/30, 0:8::/29, 0:10::/28, 0:20::/27, 0:40::/26, 0:80::/25, 0:100::/24, 0:200::/23, 0:400::/22, 0:800::/21, 0:1000::/20, 0:2000::/19, 0:4000::/18, 0:8000::/17, 1::/16, 2::/15, 4::/14, 8::/13, 10::/12, 20::/11, 40::/10, 80::/9, 100::/8, 200::/7, 400::/6, 800::/5, 1000::/4, 2000::/3, 4000::/2, 8000::/1

This approach works using the stock Wireguard app on both macOS and iOS/iPadOS.

I have tried Step 1 in the Mullvad app, and it does not appear to work, since there is no way to do Step 2.

Alternative solutions

Naturally, since this works using the Wireguard application, one can manually configure Mullvad VPNs in the Wireguard using this approach. However, this makes things less user friendly. For example, one cannot change Mullvad servers and locations very easily. It also takes up one of the five clients that Mullvad allows, limiting the use of the official Mullvad app in other situations.

Type of feature

• Better privacy/anonymity
• Better at circumventing censorship
• Easier to use
• Other

Operating System

• Android
• iOS
• Windows
• macOS
• Linux