CalvinBackup/encrypted-dns
1
0
Fork 0
mirror of https://github.com/paulmillr/encrypted-dns.git synced 2026-02-12 17:22:53 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
6d04d828d448aeac08ad8ed5aacea445bfd561dc
encrypted-dns/languages/01-en.md
Paul Miller 6d04d828d4 Generate everything from providers json.
2025-03-06 06:59:06 +00:00

95 lines
5.2 KiB
Markdown
Raw Blame History

<%LANGUAGES%>
# encrypted-dns-configs
Configuration profiles for [DNS over HTTPS](https://en.wikipedia.org/wiki/DNS_over_HTTPS) and [DNS over TLS](https://en.wikipedia.org/wiki/DNS_over_TLS). Check out the article for more info: [paulmillr.com/posts/encrypted-dns/](https://paulmillr.com/posts/encrypted-dns/) and info about [contributing a new profile](#contributing-a-new-profile).
### Caveats
Check out [encrypted-dns over TOR](https://github.com/alecmuffett/dohot) if you need more privacy. Known issues (we can't fix them, maybe Apple can):
- eDNS gets disabled: [Little Snitch & Lulu](https://github.com/paulmillr/encrypted-dns/issues/13), [VPN](https://github.com/paulmillr/encrypted-dns/issues/18)
- Some traffic is exempt from eDNS: [Terminal / App Store](https://github.com/paulmillr/encrypted-dns/issues/22), [Chrome](https://github.com/paulmillr/encrypted-dns/issues/19)
- Starting from iOS & iPadOS 15.5, [Wi-Fi captive portals](https://en.wikipedia.org/wiki/Captive_portal) in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication. This is good news.
- TLS DNS is blocked more often by ISPs than HTTPS, because TLS uses non-standard port 853, which is easy to filter out.
See [Google's article](https://security.googleblog.com/2022/07/dns-over-http3-in-android.html)
## Providers
`Censorship=yes` (also known as "filtering") means the profile will not send true information about `hostname=IP` relation for some hosts.
<%PROVIDERS_TABLE%>
## Installation
To make settings work across all apps in **iOS**, **iPadOS** & **macOS**, you'll need to install configuration profile. This profile would tell operating system to use DoH / DoT. Note: it's not enough to simply set server IPs in System Preferences — you need to install a profile.
iOS / iPadOS: Open the mobileconfig file in GitHub by using Safari (other browsers will just download the file and won't ask for installation), and then click/tap on "Allow" button. The profile should download. Go to **System Settings => General => VPN, DNS & Device Management**, select downloaded profile and tap the "Install" button.
macOS [(official docs)](https://support.apple.com/guide/mac-help/mh35561/):
1. Download and save the profile. After save, rename it to be in format: `NAME.mobileconfig`, not NAME.txt, or so
2. Choose Apple menu > System Settings, click Privacy and Security in the sidebar, then click Profiles on the right. (You may need to scroll down.)
You may be asked to supply your password or other information during installation.
3. In the Downloaded section, double-click the profile.
4. Review the profile contents then click Continue, Install or Enroll to install the profile.
If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones.
## Scope
There seems to be an [additional option](https://github.com/paulmillr/encrypted-dns/issues/22) that allows to use system-wide profiles. To try it, add this to mobileconfig file:
```xml
<key>PayloadScope</key>
<string>System</string>
```
## Signed Profiles
In the `signed` folder we have signed versions of the profiles in this repository. These profiles have been signed by [@Xernium](https://github.com/Xernium) so that when you install the profiles,
they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little.
The signature is valid until `2025-11-02`
Previous signatures by:
[@Xernium](https://github.com/Xernium), replaced at `2024-11-01`
[@Candygoblen123](https://github.com/Candygoblen123), replaced at `2023-11-29`
[comment]: <> (We recommend that you install a signed profile instead of an unsigned profile because it ensures that it was not modified while it was downloading.)
To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on [developer.apple.com](https://developer.apple.com/documentation/devicemanagement/dnssettings). In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.
## On demand activation
You can optionally exclude some trusted Wi-Fi networks where you don't want to use encrypted DNS. To do so, add your SSIDs in the [OnDemandRules](https://github.com/paulmillr/encrypted-dns/blob/master/profiles/template-on-demand.mobileconfig#L22-L38) section inside the `PayloadContent` dictionary of a profile. Note: you can't edit signed profiles.
## Contributing a new profile
Profiles are basically text files. Copy an existing one and change its UUID, make sure you update README with new profile's info.
In addition to generating online, there are many other ways to generate a random UUID:
- Press `F12` to open DevTools in the browser, run this code in the console
```javascript
crypto.randomUUID();
```
- Run these commands in the macOS / Linux terminal
```sh
# Works both in macOS & Linux
uuidgen
# Works in Linux
cat /proc/sys/kernel/random/uuid
```
- Run this cmdlet in Powershell
```powershell
New-Guid
```
<%PROVIDERS_LINKS%>
Reference in New Issue View Git Blame Copy Permalink