How to configure your Mac to use DNS over TLS in five easy steps:
-
Install Stubby with Homebrew (https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby):
brew install stubby
-
Edit the configuration file:
vim /usr/local/etc/stubby/stubby.yml
-
Remove the default DNSes an replace them with Quad9 and Cloudflare:
upstream_recursive_servers: # IPv4 addresses # Quad9 with EDNS - address_data: 9.9.9.11 tls_auth_name: "dns.quad9.net" tls_pubkey_pinset: - digest: "sha256" value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= # Cloudflare - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= # Quad9 with EDNS - address_data: 149.112.112.11 tls_auth_name: "dns.quad9.net" tls_pubkey_pinset: - digest: "sha256" value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= # Cloudflare - address_data: 1.0.0.1 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
And also verify that Stubby is configured to use DNS over TLS:
dns_transport_list: - GETDNS_TRANSPORT_TLS tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
-
Start the stubby service using the daemon plist provided by Homebrew:
sudo brew services start stubby
-
Replace the current DNS configuration to use 127.0.0.1:
sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh
-
Verify that everything is working as expected (use dig or nslookup):
dig www.google.com
No, this is exactly what I am looking for actually. Cloudflare WARP's GUI software does just that - they use some adapted form of WireGuard (I believe) which effectively converts this DNS config into a VPN config - rendering it impossible to use in conjunction with VPN set-ups. I was trying to figure out a way around this and this method is extremely clever. The only issue in regards to their WARP service is that their paid service, WARP+ is stated that
I'm wondering how significant or valid this claim is. Unrelated and not a huge issue, more of a personal, curious pursuit.
Little edit: doing a quick search leads me to the impression that WARP + is mobile-specific, rendering this the exact alternative I was seeking. Props to you, brother!