# encrypted-dns-configs Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) and [DNS over TLS](https://en.wikipedia.org/wiki/DNS_over_TLS). Check out the article for more info: [paulmillr.com/posts/encrypted-dns/](https://paulmillr.com/posts/encrypted-dns/) ## Providers `Censorship=yes` means the profile will not send true information about `hostname=IP` relation for some hosts. All profiles include a *Wi-Fi-only* exception for `http://captive.apple.com/hotspot-detect.html` in order for hotel/cafe networks to work properly. | Name | Country | Censorship | Notes | Install button | |---------------------------|---------|------------|-----------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | AdGuard | ๐Ÿ‡ท๐Ÿ‡บ | Yes ๐Ÿ”ด | [Operated](https://adguard.com/en/adguard-dns/overview.html) by AdGuard in Russia | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-https.mobileconfig) | | AdGuard Family | ๐Ÿ‡ท๐Ÿ‡บ | Yes | [Filters](https://adguard.com/en/blog/adguard-dns-family-protection.html) malware & adult content | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-family-https.mobileconfig) | | AdGuard No Filter | ๐Ÿ‡ท๐Ÿ‡บ | No ๐ŸŸข | [Filters](https://adguard.com/en/adguard-dns/overview.html) Unfiltered | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-nofilter-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/adguard-nofilter-tls.mobileconfig) | | Alekberg | ๐Ÿ‡ณ๐Ÿ‡ฑ | No | [Independent](https://alekberg.net) hoster in Netherlands | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/alekberg-https.mobileconfig) | | BlahDNS CDN Filtered | ๐Ÿ‡บ๐Ÿ‡ธ | Yes | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-cdn-adblock-doh1.mobileconfig) | | BlahDNS CDN Unfiltered | ๐Ÿ‡บ๐Ÿ‡ธ | No | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-cdn-unfiltered-doh1.mobileconfig) | | BlahDNS Finland Adsblock | ๐Ÿ‡ซ๐Ÿ‡ฎ | Yes | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-finland-doh.mobileconfig) | | BlahDNS Germany Adsblock | ๐Ÿ‡ฉ๐Ÿ‡ช | Yes | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-germany-doh.mobileconfig) | | BlahDNS Japan Adsblock | ๐Ÿ‡ฏ๐Ÿ‡ต | Yes | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-japan-doh.mobileconfig) | | BlahDNS Singapore Adsblock| ๐Ÿ‡ธ๐Ÿ‡ฌ | Yes | [Independent](https://blahdns.com/) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-singapore-doh.mobileconfig) | | BlahDNS Swiss Adsblock | ๐Ÿ‡จ๐Ÿ‡ญ | Yes | [Independent](https://blahdns.com/) | [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/blahdns-switzerland-dot.mobileconfig) | | Canadian Shield Private | ๐Ÿ‡จ๐Ÿ‡ฆ | No | [Operated](https://www.cira.ca/cybersecurity-services/canadian-shield/configure) by the Canadian Internet Registration Authority (CIRA) | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-private-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-private-tls.mobileconfig) | | Canadian Shield Protected | ๐Ÿ‡จ๐Ÿ‡ฆ | Yes | [Filters](https://www.cira.ca/cybersecurity-services/canadian-shield/configure) malware | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-protected-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-protected-tls.mobileconfig) | | Canadian Shield Family | ๐Ÿ‡จ๐Ÿ‡ฆ | Yes | [Filters](https://www.cira.ca/cybersecurity-services/canadian-shield/configure) malware & adult content | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-family-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/canadianshield-family-tls.mobileconfig) | | Cloudflare | ๐Ÿ‡บ๐Ÿ‡ธ | No | [Operated](https://developers.cloudflare.com/1.1.1.1/dns-over-https) by Cloudflare 1.1.1.1 | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-tls.mobileconfig) | | Cloudflare Malware | ๐Ÿ‡บ๐Ÿ‡ธ | Yes | Filters malware | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-malware-https.mobileconfig) | | Cloudflare Family | ๐Ÿ‡บ๐Ÿ‡ธ | Yes | Filters malware & adult content | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/cloudflare-family-https.mobileconfig) | | DNSPod | ๐Ÿ‡จ๐Ÿ‡ณ | Yes | [Operated](https://docs.dnspod.cn/public-dns/5fb5db1462110a2b153a77dd/) in mainland China | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dnspod-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/dnspod-tls.mobileconfig) | | Google | ๐Ÿ‡บ๐Ÿ‡ธ | No | [Operated](https://developers.google.com/speed/public-dns/docs/secure-transports) by Google | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/google-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/google-tls.mobileconfig) | | OpenDNS | ๐Ÿ‡บ๐Ÿ‡ธ | No | [Operated](https://support.opendns.com/hc/en-us/articles/360038086532) by OpenDNS | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/opendns-https.mobileconfig) | | OpenDNS Family | ๐Ÿ‡บ๐Ÿ‡ธ | Yes | Filters malware & adult content | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/opendns-family-https.mobileconfig) | | Quad9 | ๐Ÿ‡จ๐Ÿ‡ญ | Yes | [Operated](https://www.quad9.net/news/blog/doh-with-quad9-dns-servers/) by CleanerDNS, Inc. Filters malware | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-tls.mobileconfig) | | Quad9 With ECS | ๐Ÿ‡จ๐Ÿ‡ญ | Yes | [Operated](https://www.quad9.net/news/blog/doh-with-quad9-dns-servers/) by CleanerDNS, Inc. Filters malware | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-ECS-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/quad9-ECS-tls.mobileconfig) | | Tiar.app | ๐Ÿ‡ธ๐Ÿ‡ฌ ๐Ÿ‡บ๐Ÿ‡ธ | Yes | ["Privacy-first DNS provider"](https://doh.tiar.app) from SG, hosted on Digital Ocean. Filters malware | [HTTPS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/tiarapp-https.mobileconfig), [TLS](https://github.com/paulmillr/encrypted-dns/raw/master/profiles/tiarapp-tls.mobileconfig) | ## Installation To make settings work across all apps in **iOS 14** & **MacOS Big Sur**, youโ€™ll need to install configuration profile. This profile would tell operating system to use DOH / DOT. Note: itโ€™s not enough to simply set server IPs in System Preferences โ€” you need to install a profile. To install, simply open the file in GitHub, and then click/tap on install button. The profile should download. On macOS, double click on the downloaded file to open it in settings, and approve instalation. On iOS, go to **System Settings => General => Profile**, select downloaded profile and tap the โ€œInstallโ€ button. ## Signed Profiles In the signed folder, we have *slightly outdated* signed versions of the profiles in this repository. These profiles have been signed by [@Candygoblen123](https://github.com/Candygoblen123) so that when you install the profiles, they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little. [comment]: <> (We recommend that you install a signed profile instead of an unsigned profile because it ensures that it was not modified while it was downloading.) To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on [developer.apple.com](https://developer.apple.com/documentation/devicemanagement/dnssettings). In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files. ## Known issues We can't fix the issues, only Apple can: - [Little Snitch / Lulu disable Encrypted DNS](https://github.com/paulmillr/encrypted-dns/issues/13) - [Some traffic e.g. Terminal / App Store is except from EDNS](https://github.com/paulmillr/encrypted-dns/issues/22) - [Chrome is except from EDNS](https://github.com/paulmillr/encrypted-dns/issues/19) - [VPN disable EDNS](https://github.com/paulmillr/encrypted-dns/issues/18)