How to configure your Mac to use DNS over TLS in five easy steps:
-
Install Stubby with Homebrew (https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby):
brew install stubby -
Edit the configuration file:
vim /usr/local/etc/stubby/stubby.yml -
Remove the default DNSes an replace them with Quad9 and Cloudflare:
upstream_recursive_servers: # IPv4 addresses # Quad9 with EDNS - address_data: 9.9.9.11 tls_auth_name: "dns.quad9.net" tls_pubkey_pinset: - digest: "sha256" value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= # Cloudflare - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= # Quad9 with EDNS - address_data: 149.112.112.11 tls_auth_name: "dns.quad9.net" tls_pubkey_pinset: - digest: "sha256" value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= # Cloudflare - address_data: 1.0.0.1 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=And also verify that Stubby is configured to use DNS over TLS:
dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED -
Start the stubby service using the daemon plist provided by Homebrew:
sudo brew services start stubby -
Replace the current DNS configuration to use 127.0.0.1:
sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh -
Verify that everything is working as expected (use dig or nslookup):
dig www.google.com