numa 0.14.2

Portable DNS resolver in Rust — .numa local domains, ad blocking, developer overrides, DNS-over-HTTPS
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305

//! Apple `.mobileconfig` profile generator.
//!
//! Builds iOS Configuration Profiles that Numa serves to phones for one-tap
//! CA trust and DNS-over-TLS setup. The plist structure is hand-rendered
//! via `format!` — no plist crate dependency, deterministic output, small
//! binary footprint.
//!
//! Two modes:
//!
//! - [`ProfileMode::Full`]: CA trust payload + DNS settings payload pointing
//!   at a specific LAN IP over DoT. This is what `numa setup-phone` has
//!   always produced — the user scans a QR, installs this profile, and the
//!   phone is configured for DoT through Numa in a single step (after the
//!   iOS Certificate Trust Settings toggle, which is a separate system
//!   gate we can't bypass).
//!
//! - [`ProfileMode::CaOnly`]: CA trust payload only, no DNS settings. Used
//!   by the future iOS companion app flow where `NEDNSSettingsManager`
//!   configures DNS programmatically and we only need the system trust
//!   store to accept Numa's DoT cert. Installing this profile does NOT
//!   change the user's DNS at all.
//!
//! Payload identifiers and UUIDs are fixed (not randomized) so iOS replaces
//! the existing profile on re-install rather than accumulating duplicates.
//! The `Full` and `CaOnly` profiles have distinct top-level UUIDs so they
//! can coexist as separate installed profiles, but they share the same CA
//! payload UUID since the CA itself is the same trust anchor in both.

use std::net::Ipv4Addr;

/// Top-level UUID and PayloadIdentifier for the full profile (CA + DNS).
/// Changing this breaks in-place replacement on existing iOS installs.
const FULL_PROFILE_UUID: &str = "F1E2D3C4-B5A6-7890-1234-567890ABCDEF";
const FULL_PROFILE_ID: &str = "com.numa.dns.profile";

/// Top-level UUID and PayloadIdentifier for the CA-only profile.
/// Distinct from `FULL_PROFILE_UUID` so a user can install one, the other,
/// or both without the latest install silently replacing a different mode.
const CA_ONLY_PROFILE_UUID: &str = "F2E3D4C5-B6A7-8901-2345-67890ABCDEF0";
const CA_ONLY_PROFILE_ID: &str = "com.numa.dns.ca.profile";

/// CA trust payload UUID. Same in both modes — iOS will see "the same CA
/// trust anchor" regardless of which wrapping profile contains it.
const CA_PAYLOAD_UUID: &str = "B2C3D4E5-F6A7-8901-BCDE-F12345678901";
const CA_PAYLOAD_ID: &str = "com.numa.dns.ca";

/// DNS settings payload UUID (Full mode only).
const DNS_PAYLOAD_UUID: &str = "A1B2C3D4-E5F6-7890-ABCD-EF1234567890";
const DNS_PAYLOAD_ID: &str = "com.numa.dns.dot";

/// Profile mode determines which payloads are included in the generated
/// `.mobileconfig`.
#[derive(Debug, Clone)]
pub enum ProfileMode {
    /// Full profile: CA trust anchor + managed DNS settings payload
    /// pointing at the given LAN IP over DoT. This is what the classic
    /// `numa setup-phone` QR flow serves.
    Full { lan_ip: Ipv4Addr },

    /// CA-only profile: just the trust anchor, no DNS settings. For use
    /// with the iOS companion app which manages DNS programmatically via
    /// `NEDNSSettingsManager` and only needs the system trust store to
    /// accept Numa's self-signed DoT cert.
    CaOnly,
}

/// Build a full `.mobileconfig` profile as an XML plist string.
pub fn build_mobileconfig(mode: ProfileMode, ca_pem: &str) -> String {
    let ca_payload = build_ca_payload(ca_pem);

    match mode {
        ProfileMode::Full { lan_ip } => {
            let dns_payload = build_dns_payload(lan_ip);
            let payloads = format!("{}\n{}", ca_payload, dns_payload);
            let description = format!(
                "Trusts the Numa local CA and routes DNS queries to Numa over DoT on your local network ({lan_ip})"
            );
            wrap_plist(
                &payloads,
                FULL_PROFILE_UUID,
                FULL_PROFILE_ID,
                &description,
                "Numa DNS",
            )
        }
        ProfileMode::CaOnly => wrap_plist(
            &ca_payload,
            CA_ONLY_PROFILE_UUID,
            CA_ONLY_PROFILE_ID,
            "Trusts the Numa local Certificate Authority. Does not change your DNS settings.",
            "Numa CA",
        ),
    }
}

/// Strip the PEM header/footer and newlines from a CA cert, leaving raw
/// base64 for embedding in a plist `<data>` block.
fn pem_to_base64(pem: &str) -> String {
    pem.lines()
        .filter(|line| !line.starts_with("-----"))
        .collect::<String>()
}

/// Wrap the base64 CA cert at 52 chars per line for plist readability
/// (matches Apple convention in hand-written profiles).
fn chunk_base64(base64: &str) -> String {
    base64
        .chars()
        .collect::<Vec<_>>()
        .chunks(52)
        .map(|chunk| format!("\t\t\t{}", chunk.iter().collect::<String>()))
        .collect::<Vec<_>>()
        .join("\n")
}

/// Render the `com.apple.security.root` payload dict containing the CA cert.
fn build_ca_payload(ca_pem: &str) -> String {
    let ca_wrapped = chunk_base64(&pem_to_base64(ca_pem));
    format!(
        r#"		<dict>
			<key>PayloadCertificateFileName</key>
			<string>numa-ca.pem</string>
			<key>PayloadContent</key>
			<data>
{ca}
			</data>
			<key>PayloadDescription</key>
			<string>Numa local Certificate Authority — required for DoT trust</string>
			<key>PayloadDisplayName</key>
			<string>Numa Local CA</string>
			<key>PayloadIdentifier</key>
			<string>{ca_id}</string>
			<key>PayloadType</key>
			<string>com.apple.security.root</string>
			<key>PayloadUUID</key>
			<string>{ca_uuid}</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>"#,
        ca = ca_wrapped,
        ca_id = CA_PAYLOAD_ID,
        ca_uuid = CA_PAYLOAD_UUID,
    )
}

/// Render the `com.apple.dnsSettings.managed` payload dict for Full mode.
fn build_dns_payload(lan_ip: Ipv4Addr) -> String {
    format!(
        r#"		<dict>
			<key>DNSSettings</key>
			<dict>
				<key>DNSProtocol</key>
				<string>TLS</string>
				<key>ServerAddresses</key>
				<array>
					<string>{ip}</string>
				</array>
				<key>ServerName</key>
				<string>numa.numa</string>
			</dict>
			<key>OnDemandRules</key>
			<array>
				<dict>
					<key>Action</key>
					<string>Connect</string>
					<key>InterfaceTypeMatch</key>
					<string>WiFi</string>
				</dict>
				<dict>
					<key>Action</key>
					<string>Disconnect</string>
				</dict>
			</array>
			<key>PayloadDescription</key>
			<string>Routes DNS queries through Numa over DoT when on Wi-Fi</string>
			<key>PayloadDisplayName</key>
			<string>Numa DNS-over-TLS</string>
			<key>PayloadIdentifier</key>
			<string>{dns_id}</string>
			<key>PayloadType</key>
			<string>com.apple.dnsSettings.managed</string>
			<key>PayloadUUID</key>
			<string>{dns_uuid}</string>
			<key>PayloadVersion</key>
			<integer>1</integer>
		</dict>"#,
        ip = lan_ip,
        dns_id = DNS_PAYLOAD_ID,
        dns_uuid = DNS_PAYLOAD_UUID,
    )
}

/// Wrap one or more payload dicts in the top-level plist structure
/// with Configuration type, PayloadContent array, and profile metadata.
fn wrap_plist(
    payloads: &str,
    top_uuid: &str,
    top_id: &str,
    description: &str,
    display_name: &str,
) -> String {
    format!(
        r#"<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
{payloads}
	</array>
	<key>PayloadDescription</key>
	<string>{description}</string>
	<key>PayloadDisplayName</key>
	<string>{display_name}</string>
	<key>PayloadIdentifier</key>
	<string>{top_id}</string>
	<key>PayloadRemovalDisallowed</key>
	<false/>
	<key>PayloadType</key>
	<string>Configuration</string>
	<key>PayloadUUID</key>
	<string>{top_uuid}</string>
	<key>PayloadVersion</key>
	<integer>1</integer>
</dict>
</plist>
"#,
        payloads = payloads,
        description = description,
        display_name = display_name,
        top_id = top_id,
        top_uuid = top_uuid,
    )
}

#[cfg(test)]
mod tests {
    use super::*;

    const SAMPLE_PEM: &str =
        "-----BEGIN CERTIFICATE-----\nMIIBkDCCATagAwIBAgIUTEST\n-----END CERTIFICATE-----\n";

    #[test]
    fn pem_to_base64_strips_headers() {
        let pem = "-----BEGIN CERTIFICATE-----\nABCDEF\nGHIJKL\n-----END CERTIFICATE-----\n";
        assert_eq!(pem_to_base64(pem), "ABCDEFGHIJKL");
    }

    #[test]
    fn full_profile_contains_ip_and_ca() {
        let config = build_mobileconfig(
            ProfileMode::Full {
                lan_ip: Ipv4Addr::new(192, 168, 1, 100),
            },
            SAMPLE_PEM,
        );
        assert!(config.contains("192.168.1.100"));
        assert!(config.contains("MIIBkDCCATagAwIBAgIUTEST"));
        assert!(config.contains("com.apple.security.root"));
        assert!(config.contains("com.apple.dnsSettings.managed"));
        assert!(config.contains("DNSProtocol"));
        assert!(config.contains(FULL_PROFILE_UUID));
        assert!(config.contains(FULL_PROFILE_ID));
    }

    #[test]
    fn ca_only_profile_contains_ca_but_not_dns() {
        let config = build_mobileconfig(ProfileMode::CaOnly, SAMPLE_PEM);
        assert!(config.contains("MIIBkDCCATagAwIBAgIUTEST"));
        assert!(config.contains("com.apple.security.root"));
        assert!(!config.contains("com.apple.dnsSettings.managed"));
        assert!(!config.contains("DNSProtocol"));
        assert!(!config.contains("ServerAddresses"));
        assert!(config.contains(CA_ONLY_PROFILE_UUID));
        assert!(config.contains(CA_ONLY_PROFILE_ID));
    }

    #[test]
    fn full_and_ca_only_have_distinct_top_uuids() {
        let full = build_mobileconfig(
            ProfileMode::Full {
                lan_ip: Ipv4Addr::new(10, 0, 0, 1),
            },
            SAMPLE_PEM,
        );
        let ca_only = build_mobileconfig(ProfileMode::CaOnly, SAMPLE_PEM);
        assert!(full.contains(FULL_PROFILE_UUID));
        assert!(!full.contains(CA_ONLY_PROFILE_UUID));
        assert!(ca_only.contains(CA_ONLY_PROFILE_UUID));
        assert!(!ca_only.contains(FULL_PROFILE_UUID));
    }

    #[test]
    fn both_modes_share_ca_payload_uuid() {
        let full = build_mobileconfig(
            ProfileMode::Full {
                lan_ip: Ipv4Addr::new(10, 0, 0, 1),
            },
            SAMPLE_PEM,
        );
        let ca_only = build_mobileconfig(ProfileMode::CaOnly, SAMPLE_PEM);
        assert!(full.contains(CA_PAYLOAD_UUID));
        assert!(ca_only.contains(CA_PAYLOAD_UUID));
    }
}