Configure your Mac to use DNS over TLS

dnsovertls.md

Switching to DNS over TLS on macOS

How to configure your Mac to use DNS over TLS in five easy steps:

1. Install Stubby with Homebrew (https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby):

    brew install stubby
   

2. Edit the configuration file:

    vim /usr/local/etc/stubby/stubby.yml
   

3. Remove the default DNSes an replace them with Quad9 and Cloudflare:

    upstream_recursive_servers:
    # IPv4 addresses
    # Quad9 with EDNS
    - address_data: 9.9.9.11
      tls_auth_name: "dns.quad9.net"
      tls_pubkey_pinset:
      - digest: "sha256"
        value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
    # Cloudflare
    - address_data: 1.1.1.1
      tls_auth_name: "cloudflare-dns.com"
      tls_pubkey_pinset:
      - digest: "sha256"
        value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
    # Quad9 with EDNS
    - address_data: 149.112.112.11
      tls_auth_name: "dns.quad9.net"
      tls_pubkey_pinset:
      - digest: "sha256"
        value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
    # Cloudflare
    - address_data: 1.0.0.1
      tls_auth_name: "cloudflare-dns.com"
      tls_pubkey_pinset:
      - digest: "sha256"
        value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
   

   And also verify that Stubby is configured to use DNS over TLS:

    dns_transport_list:
      - GETDNS_TRANSPORT_TLS
      
    tls_authentication: GETDNS_AUTHENTICATION_REQUIRED  
   

4. Start the stubby service using the daemon plist provided by Homebrew:

    sudo brew services start stubby
   

5. Replace the current DNS configuration to use 127.0.0.1:

    sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh
   

6. Verify that everything is working as expected (use dig or nslookup):

   dig www.google.com
   

I've installed stubby directly via homebrew and configured it as shown above, I didn't even knew that a GUI existed until today. :)
The only networking issue I've seen is that sometimes it can't connect back to wifi networks when you switch between two of them.
Note that since BigSur, LittleSnitch CAN'T block ocsp anymore afaik, you'll have to manually redirect the hostname: https://gist.github.com/uraimo/49eb390ed78b3b5b5ed2a9ea8fff99ff

Yeah, the problem I was having was from the GUI client, I tried but haven't quite figured out how to get it to work with command line. Pretty much all ISPs in my country forces their own DNS (government regulation aka censorship). For OCSP I see trustd blinking red on little snitch and thought it must already be blocked, but you're right, doing it via hosts file will certainly block it for sure, thanks for this!

If I'm not mistaken - this is a custom configuration replicating CloudFare's WARP + functionality - but no bandwidth or VPN restrictions?

Hi @girlscoutfather, this is basically just the secure dns part (using cloudflare, quad9,etc...) of warp+, other kinds of traffic are not being encrypted in any way. To roll your own quasi-VPN I recommend looking into WireGuard.

Hi @girlscoutfather, this is basically just the secure DNS part (using Cloudflare, quad9, etc...) of warp+, other kinds of traffic are not being encrypted in any way. To roll your own quasi-VPN I recommend looking into WireGuard.

No, this is exactly what I am looking for actually. Cloudflare WARP's GUI software does just that - they use some adapted form of WireGuard (I believe) which effectively converts this DNS config into a VPN config - rendering it impossible to use in conjunction with VPN set-ups. I was trying to figure out a way around this and this method is extremely clever. The only issue in regards to their WARP service is that their paid service, WARP+ is stated that

[They] route your internet requests to avoid Internet traffic jams, making it even better.

I'm wondering how significant or valid this claim is. Unrelated and not a huge issue, more of a personal, curious pursuit.

Little edit: doing a quick search leads me to the impression that WARP + is mobile-specific, rendering this the exact alternative I was seeking. Props to you, brother!

In case this helps anyone, my stubby is at /opt/homebrew/bin/stubby and so step 5 of the gist becomes

sudo /opt/homebrew/sbin/stubby-setdns-macos.sh

Also, the following will tell you about which configuration files are being read

stubby -h

while the following will tell you if any parsing errors came up:

sudo stubby -i

Thank you @4cm4k1 and @uraimo!