โ† Back to installer

๐Ÿ›ก Block Apple Certificate Revocation

When iOS installs a sideloaded app it contacts Apple's servers to check whether the signing certificate has been revoked. Blocking those domains at the DNS level prevents that check from completing, keeping your signed apps working even after a cert is flagged.

Heads up: Blocking these domains affects your whole device. Apple Pay, App Store cert validation, and MDM enrollment may behave differently. To undo everything, just remove the DNS profile from Settings โ†’ General โ†’ VPN & Device Management.

Domains to Block

Add all of these to your blocklist โ€” they are all subdomains of apple.com:

Choose Your Method

NextDNS
Pi-hole
Install Profile

Step 1 โ€” Create a NextDNS account

Go to nextdns.io, sign up for free, and copy your Configuration ID from the top of the dashboard (it looks like abc123).

Step 2 โ€” Block the domains

In your NextDNS dashboard go to the Denylist tab and add each domain above one by one. Make sure Exact match is selected โ€” not wildcard โ€” so you don't accidentally block all of apple.com.

Step 3 โ€” Download the DNS profile

Go to Setup โ†’ Apple โ†’ Download Profile in your NextDNS dashboard. It generates a signed .mobileconfig with your config ID baked in. Download it and skip to the Install Profile tab to finish.

Step 1 โ€” Add domains to the blocklist

In your Pi-hole admin panel go to Blacklist โ†’ Domains (not Regex). Add each domain exactly as listed above. Leave Add domain as wildcard unchecked.

Step 2 โ€” Reach Pi-hole outside your home network

You have two options:

Step 3 โ€” Create a DNS profile for your Pi-hole

Paste the XML below into a text editor, replace YOUR.PIHOLE.IP.HERE with your Pi-hole's IP, save it as pihole.mobileconfig, then host it on any HTTPS URL and open it on your iPhone. Then follow the Install Profile tab.


<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>PayloadContent</key>
  <array>
    <dict>
      <key>DNSSettings</key>
      <dict>
        <key>DNSProtocol</key>
        <string>Plain</string>
        <key>Servers</key>
        <array>
          <string>YOUR.PIHOLE.IP.HERE</string>
        </array>
      </dict>
      <key>PayloadType</key>
      <string>com.apple.dnsSettings.managed</string>
      <key>PayloadIdentifier</key>
      <string>com.pihole.dns</string>
      <key>PayloadUUID</key>
      <string>A1B2C3D4-E5F6-7890-ABCD-EF1234567890</string>
      <key>PayloadVersion</key>
      <integer>1</integer>
      <key>PayloadDisplayName</key>
      <string>Pi-hole DNS</string>
    </dict>
  </array>
  <key>PayloadDisplayName</key>
  <string>Pi-hole DNS</string>
  <key>PayloadIdentifier</key>
  <string>com.pihole.dns.profile</string>
  <key>PayloadType</key>
  <string>Configuration</string>
  <key>PayloadUUID</key>
  <string>B2C3D4E5-F6A7-8901-BCDE-F12345678901</string>
  <key>PayloadVersion</key>
  <integer>1</integer>
  <key>PayloadRemovalDisallowed</key>
  <false/>
</dict>
</plist>

Installing the profile on your iPhone

This works the same whether you used NextDNS or Pi-hole.

1

Open the .mobileconfig file on your iPhone โ€” via AirDrop, Safari, or any HTTPS link. iOS will say "Profile Downloaded".

2

Go to Settings โ†’ General โ†’ VPN & Device Management and tap the profile listed under Downloaded Profile.

3

Tap Install in the top-right, enter your passcode, and confirm twice.

4

The profile is now active system-wide โ€” no per-network Wi-Fi changes needed.

Verify it's working

On your iPhone open Safari and navigate to http://crl.apple.com โ€” it should fail to load or time out. If it loads normally, double-check your blocklist entries and that the profile is installed and not paused.

To remove

Go to Settings โ†’ General โ†’ VPN & Device Management, tap the profile, and tap Remove Profile. Normal DNS resumes immediately.