Skip to content

Instantly share code, notes, and snippets.

@uraimo

uraimo/dnsovertls.md

Last active March 22, 2024 20:55
Show Gist options
  • Star 86 You must be signed in to star a gist
  • Fork 18 You must be signed in to fork a gist
  • Save uraimo/c651cbf3477994f95d8dbc7c60031697 to your computer and use it in GitHub Desktop.
Save uraimo/c651cbf3477994f95d8dbc7c60031697 to your computer and use it in GitHub Desktop.
Download ZIP
Configure your Mac to use DNS over TLS
Raw
dnsovertls.md

Switching to DNS over TLS on macOS

How to configure your Mac to use DNS over TLS in five easy steps:

  1. Install Stubby with Homebrew (https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby):

     brew install stubby

  2. Edit the configuration file:

     vim /usr/local/etc/stubby/stubby.yml

  3. Remove the default DNSes an replace them with Quad9 and Cloudflare:

     upstream_recursive_servers:
 # IPv4 addresses
 # Quad9 with EDNS
 - address_data: 9.9.9.11
   tls_auth_name: "dns.quad9.net"
   tls_pubkey_pinset:
   - digest: "sha256"
     value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
 # Cloudflare
 - address_data: 1.1.1.1
   tls_auth_name: "cloudflare-dns.com"
   tls_pubkey_pinset:
   - digest: "sha256"
     value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
 # Quad9 with EDNS
 - address_data: 149.112.112.11
   tls_auth_name: "dns.quad9.net"
   tls_pubkey_pinset:
   - digest: "sha256"
     value: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
 # Cloudflare
 - address_data: 1.0.0.1
   tls_auth_name: "cloudflare-dns.com"
   tls_pubkey_pinset:
   - digest: "sha256"
     value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=

    And also verify that Stubby is configured to use DNS over TLS:

     dns_transport_list:
   - GETDNS_TRANSPORT_TLS
   
 tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

  4. Start the stubby service using the daemon plist provided by Homebrew:

     sudo brew services start stubby

  5. Replace the current DNS configuration to use 127.0.0.1:

     sudo /usr/local/opt/stubby/sbin/stubby-setdns-macos.sh

  6. Verify that everything is working as expected (use dig or nslookup):

    dig www.google.com
@daturadev
Copy link

daturadev commented Apr 17, 2021
edited

Hi @girlscoutfather, this is basically just the secure DNS part (using Cloudflare, quad9, etc...) of warp+, other kinds of traffic are not being encrypted in any way. To roll your own quasi-VPN I recommend looking into WireGuard.

No, this is exactly what I am looking for actually. Cloudflare WARP's GUI software does just that - they use some adapted form of WireGuard (I believe) which effectively converts this DNS config into a VPN config - rendering it impossible to use in conjunction with VPN set-ups. I was trying to figure out a way around this and this method is extremely clever. The only issue in regards to their WARP service is that their paid service, WARP+ is stated that

[They] route your internet requests to avoid Internet traffic jams, making it even better.

I'm wondering how significant or valid this claim is. Unrelated and not a huge issue, more of a personal, curious pursuit.

Little edit: doing a quick search leads me to the impression that WARP + is mobile-specific, rendering this the exact alternative I was seeking. Props to you, brother!

@tianhuil
Copy link

In case this helps anyone, my stubby is at /opt/homebrew/bin/stubby and so step 5 of the gist becomes

sudo /opt/homebrew/sbin/stubby-setdns-macos.sh

Also, the following will tell you about which configuration files are being read

stubby -h

while the following will tell you if any parsing errors came up:

sudo stubby -i

Thank you @4cm4k1 and @uraimo!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment