Is plaintext bootstrapping over UDP port 53 required?

[ghost]

At the moment I use AdGuard's official MobileConfig for AdGuard DoH, but it only lists "https://dns.adguard.com/dns-query" for DNS resolver address, which requires resolution over UDP port 53 in plaintext before DNS-over-HTTPS kicks in. That process is also known as bootstrapping. However, if IP address is used in URL for domain name, such as "https://94.140.14.14/dns-query" , then bootstrapping is not necessary and even the initial DNS query is encrypted and sent over TCP port 443.

These profiles do list IP addresses for AdGuard DNS, but they don't list , but they don't specifically list "https://94.140.14.14/dns-query" anywhere. Would iOS accept MobileConfig profiles with "https://94.140.14.14/dns-query" ? I would be willing to try if someone makes one and uploads it.

[paulmillr]

Good question. Also unclear which servers are reliable for ip-only doh and which are not and have variable ip

[ghost]

That has to be tested on per-server basis, but I know for sure that all AdGuard, Cloudflare, and Quad9 servers support encrypted DoH without bootstrapping.

AdGuard:
https://94.140.14.14/dns-query
https://94.140.15.15/dns-query
https://94.140.14.15/dns-query
https://94.140.15.16/dns-query
https://94.140.14.140/dns-query
https://94.140.14.141/dns-query

Cloudflare:
https://1.1.1.1/dns-query
https://1.0.0.1/dns-query
https://1.1.1.2/dns-query
https://1.0.0.2/dns-query
https://1.1.1.3/dns-query
https://1.0.0.3/dns-query

Quad9:
https://9.9.9.9/dns-query
https://149.112.112.112/dns-query
https://9.9.9.10/dns-query
https://149.112.112.10/dns-query
https://9.9.9.11/dns-query
https://149.112.112.11/dns-query

[ghost]

Can you make a signed version of a AdGuard MobilConfig that uses IP instead of domain name for me to test?
https://94.140.14.14/dns-query
https://94.140.15.15/dns-query

[ghost]

Its also strange that AdGuard's official MobileConfig (https://cdn.adtidy.org/public/Dns/adguard-dns.mobileconfig) lists DNS over HTTPS URL, but my Apple TV sometimes sends queries over TCP port 853 (DNS over TLS) as well. Is DoT in that profile just a fallback for DoH? It is either that or someone is spoofing on my network...

[ghost]

I figured it out. Earlier-listed AdGuard DNS MobileConfig profile was out-dated. The correct one was the one from here - https://adguard-dns.io/en/public-dns.html and it didn't require plaintext UDP port 53 bootstrapping.