DNS SIDELOAD METHOD

Free ppq.apple.com DNS toggle profiles

FREE — NO APP REQUIRED

This method uses two DNS configuration profiles to toggle access to ppq.apple.com. Switching profiles is your on/off switch — no DNS apps, settings, or extra configuration needed. Just install a profile and you're set.

01 INSTALL PROFILES
Pre-Install

PPQ Allowed

Use this profile right before installing and launching a sideloaded app. This profile allows ppq.apple.com so the app can verify during first launch.

Install Pre-Install Profile
Post-Install

PPQ Blocked

After the app opens successfully, switch to this profile. This blocks ppq.apple.com for ongoing revocation protection.

Install Post-Install Profile
Important: Keep this profile enabled at all times. Only switch back to the Pre-Install profile when installing a new app.
02 FULL WORKFLOW
  1. Install the Pre-Install (PPQ Allowed) profile.
  2. Refresh your internet connection:
    • If on cellular: toggle data off and on
    • If on Wi-Fi: disconnect and reconnect
  3. Sign, install, and launch the app. Make sure it opens fully and does not crash.
  4. Switch to Post-Install (PPQ Blocked) profile.
  5. Refresh your internet connection again.
  6. Leave the Post-Install profile enabled permanently.

Tip: Keep both profiles installed on your device. Switching between them is your "ppq on / off" switch.

03 SELF-HOSTED GUIDE

Prefer to do it yourself? Below are two methods to create your own DNS blocking setup without relying on our pre-built profiles. Choose the method that works best for you.

1
Copy the Template

Copy the skeleton code below into a plain text editor (TextEdit on Mac — use Format > Make Plain Text, or Notepad on Windows). The <DenyList> section is where you'll add blocked domains.

XML — mobileconfig template 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>AutoFilterEnabled</key>
            <false/>
            <key>FilterType</key>
            <string>BuiltIn</string>
            <key>PayloadDisplayName</key>
            <string>Web Content Filter</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.webcontent-filter.serverblock</string>
            <key>PayloadType</key>
            <string>com.apple.webcontent-filter</string>
            <key>PayloadUUID</key>
            <string>A1B2C3D4-E5F6-7890-1234-567890ABCDEF</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>DenyList</key>
            <array>
                <!-- Add domains here -->
            </array>
        </dict>
    </array>
    <key>PayloadDisplayName</key>
    <string>Apple Server Blocker</string>
    <key>PayloadDescription</key>
    <string>Blocks specific Apple validation and OCSP servers.</string>
    <key>PayloadIdentifier</key>
    <string>com.custom.serverblocker</string>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>F1E2D3C4-B5A6-7890-1234-567890ABCDEF</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>
2
Domain List to Block

These are the commonly used Apple DNS domains for validation and OCSP checks:

  • ppq.apple.com
  • appattest.apple.com
  • certs.apple.com
  • crl.apple.com
  • ocsp.apple.com
  • ocsp2.apple.com
  • valid.apple.com
  • vpp.itunes.apple.com
3
Add Domains to Your Code

In the template, find the <DenyList> section. Replace the comment with each domain wrapped in <string> tags. Your list should look exactly like this:

XML — DenyList section 
<key>DenyList</key>
<array>
    <string>ppq.apple.com</string>
    <string>appattest.apple.com</string>
    <string>certs.apple.com</string>
    <string>crl.apple.com</string>
    <string>ocsp.apple.com</string>
    <string>ocsp2.apple.com</string>
    <string>valid.apple.com</string>
    <string>vpp.itunes.apple.com</string>
</array>
Don't accidentally delete the </array> tag at the end of your list!
4
Save Your File

Go to File > Save As and name the file Blocker.mobileconfig.

Important: Check that your OS didn't secretly append .txt to the filename (e.g. Blocker.mobileconfig.txt). If it did, rename the file and remove the .txt extension or your Apple device will refuse to open it.
5
Send & Install
  1. Transfer the file to your iPhone or iPad via AirDrop, email, or iCloud Drive.
  2. Tap the file on your device. You'll see a popup saying "Profile Downloaded."
  3. Open Settings > tap Profile Downloaded near the top (or go to Settings > General > VPN & Device Management). Tap Install, enter your passcode, and confirm.
1
Create Your NextDNS Space

NextDNS gives you a personal dashboard to manage your DNS traffic for free.

  1. Go to my.nextdns.io in your web browser.
  2. Click Try it now for free — you don't need an account to test it, but creating one saves your settings.
  3. You'll be taken to your new configuration dashboard.
2
Add Domains to Your Denylist

Add each of these Apple validation domains to your NextDNS denylist:

  • ppq.apple.com
  • appattest.apple.com
  • certs.apple.com
  • crl.apple.com
  • ocsp.apple.com
  • ocsp2.apple.com
  • valid.apple.com
  • vpp.itunes.apple.com
  1. In your dashboard, click the Denylist tab at the top.
  2. Type or paste each domain into the "Add a domain..." box and press Enter.
  3. Repeat for every domain on the list. They'll appear below the input box.
NextDNS automatically blocks subdomains too — adding certs.apple.com also blocks *.certs.apple.com.
3
Download Your Custom Profile
  1. Click back to the Setup tab in your dashboard.
  2. Scroll to the Setup Guide section and click iOS (for iPhone/iPad) or macOS (for Mac).
  3. Find the Apple Configuration Profile section and click the link to open the profile generator.
  4. Leave the default settings and tap Download.
4
Install the Profile

If you downloaded directly on your iPhone or iPad, this part is easy:

  1. After tapping Download, your device will show "Profile Downloaded."
  2. Open Settings > tap Profile Downloaded near the top (or Settings > General > VPN & Device Management).
  3. Tap your NextDNS profile, tap Install, enter your passcode, and confirm.