How to configure your Mac to use DNS over TLS in five easy steps:
-
Install Stubby with Homebrew (https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby):
brew install stubby
-
Edit the configuration file:
vim /usr/local/etc/stubby/stubby.yml
-
Remove the default DNSes an replace them with Quad9 and Cloudflare:
upstream_recursive_servers: # IPv4 addresses # Quad9 with EDNS - address_data: 9.9.9.11 tls_auth_name: "dns.quad9.net" tls_pubkey_pinset: - digest: "sha256" value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= # Cloudflare - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= # Quad9 with EDNS - address_data: 149.112.112.11 tls_auth_name: "dns.quad9.net" tls_pubkey_pinset: - digest: "sha256" value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= # Cloudflare - address_data: 1.0.0.1 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
And also verify that Stubby is configured to use DNS over TLS:
dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
-
Start the stubby service using the daemon plist provided by Homebrew:
sudo brew services start stubby
-
Replace the current DNS configuration to use 127.0.0.1:
sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh
-
Verify that everything is working as expected (use dig or nslookup):
dig www.google.com
Hey Uraimo thanks for the response.
StubbyManager GUI (i think 0.2.6, where did you get 0.3.0?) would freeze my entire system into an unusable state (beachballing) after login. Had to uninstall via safe mode. I did try reinstalling twice with no luck. Unfortunately I don't have the logs anymore. I'm on a 2019 MBP 16 base model. Today I just discovered that Cloudflare actually has their own client for MacOS (silly me) so I am using that now. But still doesn't explain why Stubby failed to work.
I wonder if the issue has something to do with my upgrade failing a few times (due to server congestion). By any chance are you experiencing other network problems with Big Sur? There has been something weird about my network ever since the Big Sur upgrade. If my ISP is down while I'm connected to WiFi or LAN, every app that uses the internet will launch but won't load its window until I disconnect my ethernet cable or disable WiFi (Brave, Safari, Spotify, VLC, etc.) I did block Apple's OCPS server with Little Snitch but that did not help.