How to configure your Mac to use DNS over TLS in five easy steps:
-
Install Stubby with Homebrew (https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby):
brew install stubby -
Edit the configuration file:
vim /usr/local/etc/stubby/stubby.yml -
Remove the default DNSes an replace them with Quad9 and Cloudflare:
upstream_recursive_servers: # IPv4 addresses # The Surfnet/Sinodun servers - address_data: 9.9.9.9 tls_auth_name: "dns.quad9.net" tls_pubkey_pinset: - digest: "sha256" value: ZMZ1T16d9Qc5uvRpUn/mu6fh4+IdoJGOEKjANut91Io= - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= - address_data: 149.112.112.112 tls_auth_name: "dns.quad9.net" tls_pubkey_pinset: - digest: "sha256" value: ZMZ1T16d9Qc5uvRpUn/mu6fh4+IdoJGOEKjANut91Io= - address_data: 1.0.0.1 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=And also verify that Stubby id configured to use DNS over TLS:
dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED -
Start the stubby service using the daemon plist provided by Homebrew:
sudo brew services start stubby -
Replace the current DNS configuration to use 127.0.0.1:
sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh -
Verify that everything is working as expected (use dig or nslookup):
dig www.google.com