Skip to main content

Setup: MacOS and DNS over HTTPS or DNS over TLS

Zachary
Updated

Introduction

In MacOS Big Sur or later, a profile configuration file (.mobileconfig) can be installed to utilize DNS over HTTPS (DoH) or DNS over TLS (DoT) natively, and without requiring additional software to use encrypted DNS.

Before You Start

Once a DoT or DoH profile is installed and activated, there will be no "unencrypted fallback" if the current network blocks DoT or DoH. If you connect to a network which blocks DoT or DoH, you will have to manually disable this profile to regain DNS resolution on that network.

DoH vs DoT

DoT is recommended if the device will mainly connect to networks you control, or on corporate networks where DoT is allowed.

DoH is recommended if the device will frequently connect to guest Wi-Fi, and/or networks you do not administrate, as DoH is not as commonly blocked on firewalls.

System Applications

Some system applications, such as Terminal and the App Store, will not use encrypted DNS when DNS requests originate from these applications. This is by design.

Steps

 

  • When opening the file, it should prompt the following system notification:

doh4.png

  • Open System -> Profiles , where you should see an option to install the DoH or DoT profile from Quad9

DoH1.pngdoh2.pngDoH3.png

Confirm

To confirm that the MacOS device is sending DNS to Quad9 via DoT or DoH:

  • Open the Terminal application, and execute one of the commands, depending on which profile you installed (DoH or DoT):

DNS over HTTPS

sudo tcpdump -i any "port 443 and host 9.9.9.9 or host 149.112.112.112"

DNS over TLS

sudo tcpdump -i any "port 853 and host 9.9.9.9 or host 149.112.112.112"
  • You'll be prompted for your user's password. Type it in and press Enter. You will not see the characters in Terminal as you type them.
  • Open a new browser window, and navigate to a website you have not recently visited to ensure the system will have to perform a recursive DNS request.
  • If DoT or DoH is being used, you will see any output like this:
11:15:03.610657 IP 192.168.1.148.64492 > dns9.quad9.net.https: Flags [SEW], seq 643448805, win 65535, options [mss 1460,nop,wscale 6,nop,nop,TS val 3768110776 ecr 0,sackOK,eol], length 0
11:15:03.620608 IP dns9.quad9.net.https > 192.168.1.148.64492: Flags [S.E], seq 2427176094, ack 643448806, win 28960, options [mss 1460,nop,nop,TS val 2926340931 ecr 3768110776,nop,wscale 8], length 0
11:15:03.620783 IP 192.168.1.148.64492 > dns9.quad9.net.https: Flags [P.], seq 1:518, ack 1, win 2058, options [nop,nop,TS val 3768110786 ecr 2926340931], length 517
11:15:03.630228 IP dns9.quad9.net.https > 192.168.1.148.64492: Flags [.], ack 518, win 118, options [nop,nop,TS val 2926340940 ecr 3768110786], length 0
11:15:03.632042 IP dns9.quad9.net.https > 192.168.1.148.64492: Flags [.], seq 1:1449, ack 518, win 118, options [nop,nop,TS val 2926340941 ecr 3768110786], length 1448
11:15:03.632043 IP dns9.quad9.net.https > 192.168.1.148.64492: Flags [.], seq 1449:2897, ack 518, win 118, options [nop,nop,TS val 2926340941 ecr 3768110786], length 1448
11:15:03.632043 IP dns9.quad9.net.https > 192.168.1.148.64492: Flags [P.], seq 2897:3505, ack 518, win 118, options [nop,nop,TS val 2926340941 ecr 3768110786], length 608
11:15:03.632607 IP 192.168.1.148.64492 > dns9.quad9.net.https: Flags [.], ack 3505, win 2004, options [nop,nop,TS val 3768110798 ecr 2926340941], length 0
11:15:03.640136 IP 192.168.1.148.64492 > dns9.quad9.net.https: Flags [P.], seq 518:598, ack 3505, win 2048, options [nop,nop,TS val 3768110806 ecr 2926340941], length 80
11:15:03.641493 IP 192.168.1.148.64492 > dns9.quad9.net.https: Flags [P.], seq 598:644, ack 3505, win 2048, options [nop,nop,TS val 3768110807 ecr 2926340941], length 46

 

Related articles

Comments

0 comments

Please sign in to leave a comment.