17 KiB
encrypted-dns-configs
Configuration profiles for DNS over HTTPS and DNS over TLS. Check out the article for more info: paulmillr.com/posts/encrypted-dns/ and info about contributing a new profile.
Caveats
DoH seems to work faster & better than DoT judging from the Google's article.
Starting from iOS 15.5, Wi-Fi captive portals in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication. This is good news. There are still some other issues; we can't fix them, only Apple can:
- eDNS gets disabled: Little Snitch & Lulu, VPN
- Some traffic is exempt from eDNS: Terminal / App Store, Chrome
If you need even more privacy, check out encrypted-dns over TOR.
Providers
Censorship=yes means the profile will not send true information about hostname=IP relation for some hosts.
| Name | Country | Censorship | Notes | Install button |
|---|---|---|---|---|
| 360 Public Security DNS | 🇨🇳 | Yes | Operated by 360 Safe | HTTPS |
| AdGuard Default | 🇷🇺 | Yes | Operated by AdGuard (Filters ads, tracking & phishing) | HTTPS, TLS |
| AdGuard Family | 🇷🇺 | Yes | Operated by AdGuard (Filters Default + malware & adult content) | HTTPS, TLS |
| AdGuard No Filter | 🇷🇺 | No | Operated by AdGuard (Non-filtering) | HTTPS, TLS |
| AliDNS | 🇨🇳 | Yes | Operated by Alibaba in China | HTTPS, TLS |
| Alekberg | 🇳🇱 | No | Independent hoster in Netherlands | HTTPS |
| BlahDNS CDN Filtered | 🇺🇸 | Yes | Independent | HTTPS |
| BlahDNS CDN Unfiltered | 🇺🇸 | No | Independent | HTTPS |
| BlahDNS Finland Adsblock | 🇫🇮 | Yes | Independent | HTTPS |
| BlahDNS Germany Adsblock | 🇩🇪 | Yes | Independent | HTTPS |
| BlahDNS Japan Adsblock | 🇯🇵 | Yes | Independent | HTTPS |
| BlahDNS Singapore Adsblock | 🇸🇬 | Yes | Independent | HTTPS |
| BlahDNS Swiss Adsblock | 🇨🇭 | Yes | Independent | TLS |
| Canadian Shield Private | 🇨🇦 | No | Operated by the Canadian Internet Registration Authority (CIRA) | HTTPS, TLS |
| Canadian Shield Protected | 🇨🇦 | Yes | Filters malware | HTTPS, TLS |
| Canadian Shield Family | 🇨🇦 | Yes | Filters malware & adult content | HTTPS, TLS |
| Cloudflare | 🇺🇸 | No | Operated by Cloudflare 1.1.1.1 | HTTPS, TLS |
| Cloudflare Malware | 🇺🇸 | Yes | Filters malware | HTTPS |
| Cloudflare Family | 🇺🇸 | Yes | Filters malware & adult content | HTTPS |
| DNSPod | 🇨🇳 | Yes | Operated by DNSPod (Tencent) in China | HTTPS, TLS |
| 🇺🇸 | No | Operated by Google | HTTPS, TLS | |
| Mullvad | 🇸🇪 | Yes | Operated by Mullvad VPN AB | HTTPS |
| Mullvad with ad blocking | 🇸🇪 | Yes | Operated by Mullvad VPN AB | HTTPS |
| OpenDNS | 🇺🇸 | No | Operated by OpenDNS | HTTPS |
| OpenDNS Family | 🇺🇸 | Yes | Filters malware & adult content | HTTPS |
| Quad9 | 🇨🇭 | Yes | Operated by CleanerDNS, Inc. Filters malware | HTTPS, TLS |
| Quad9 With ECS | 🇨🇭 | Yes | Operated by CleanerDNS, Inc. Filters malware | HTTPS, TLS |
| Tiar.app | 🇸🇬 🇺🇸 | Yes | "Privacy-first DNS provider" from SG, hosted on Digital Ocean. Filters malware | HTTPS, TLS |
Installation
To make settings work across all apps in iOS & MacOS, you’ll need to install configuration profile. This profile would tell operating system to use DOH / DOT. Note: it’s not enough to simply set server IPs in System Preferences — you need to install a profile.
iOS: Open the mobileconfig file in GitHub by using Safari (other browsers will just download the file and won't ask for installation), and then click/tap on install button. The profile should download. Go to System Settings => General => VPN, DNS & Device Management, select downloaded profile and tap the “Install” button.
macOS (official docs):
- Download and save the profile. After save, rename it to be in format:
NAME.mobileconfig, not NAME.txt, or so - Choose Apple menu > System Settings, click Privacy and Security in the sidebar, then click Profiles on the right. You may need to scroll down. You may be asked to supply your password or other information during installation.
- In the Downloaded section, double-click the profile.
- Review the profile contents then click Continue, Install or Enroll to install the profile. If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones.
Scope
There seems to be an additional option that allows to use system-wide profiles. To try it, add this to mobileconfig file:
<key>PayloadScope</key>
<string>System</string>
Signed Profiles
In the signed folder, we have slightly outdated signed versions of the profiles in this repository. These profiles have been signed by @Candygoblen123 so that when you install the profiles, they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little.
To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on developer.apple.com. In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.
On demand activation
You can optionally exclude some trusted Wi-Fi networks where you don't want to use encrypted DNS. To do so, add your SSIDs in the OnDemandRules section inside the PayloadContent dictionary of a profile. Note: you can't edit signed profiles.
Contributing a new profile
Profiles are basically text files. Copy an existing one and change its UUID, for example, by generating a new one online. Make sure you update README with new profile's info.