CalvinBackup/encrypted-dns
1
0
Fork 0
mirror of https://github.com/paulmillr/encrypted-dns.git synced 2026-04-01 18:30:45 +02:00
Code Issues Packages Projects Releases Wiki Activity
165 Commits 2 Branches 1 Tag
82b80b56d178d58e9661cfebe6e52366297d89ab
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Paul Miller 82b80b56d1 Update readme
2026-02-27 06:19:44 +00:00
.github
Enable GitHub Sponsors
2022-09-22 21:36:37 +02:00
profiles
Rebuild and re-sign profiles, 2025-02
2026-02-27 05:59:19 +00:00
signed
Rebuild and re-sign profiles, 2025-02
2026-02-27 05:59:19 +00:00
src
Big update: streamline and simplify everything.
2026-02-27 05:58:05 +00:00
src-languages
Update readme
2026-02-27 06:19:44 +00:00
.prettierrc.json
Generate everything from providers json.
2025-03-06 06:59:06 +00:00
generate.js
Update readme
2026-02-27 06:12:03 +00:00
LICENSE
Initial commit.
2020-09-17 21:15:55 +03:00
package.json
Big update: streamline and simplify everything.
2026-02-27 05:58:05 +00:00
README.cmn-CN.md
Update readme
2026-02-27 06:12:03 +00:00
README.cmn-TW.md
Big update: streamline and simplify everything.
2026-02-27 05:58:05 +00:00
README.md
Update readme
2026-02-27 06:19:44 +00:00

README.md

English | 简体中文 | 繁體中文

encrypted-dns-configs

Configuration profiles for DNS over HTTPS and DNS over TLS. Check out the article for more info: paulmillr.com/posts/encrypted-dns/. To add a new provider, or edit an existing one, edit json files in src directory.

Known issues

  1. Some apps and protocols will ignore encrypted-dns:
    • Firefox in specific regions, App Store in all regions. More info
    • iCloud Private Relay, VPN clients
    • Little Snitch, LuLu
    • DNS-related CLI tools: host, dig, nslookup etc.
  2. Wi-Fi captive portals in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is ok
  3. TLS DNS is easier for providers to block, because it uses non-standard port 853. More info
  4. e-dns over TOR could be better privacy-wise, but we don't have this for now.

Usage

Install / download profile (.mobileconfig file) from a table below. After that:

iPhones, iPads:

  1. Open the mobileconfig file in GitHub by using Safari (other browsers will just download the file and won't ask for installation)
  2. Tap on "Allow" button. The profile should download.
  3. Go to System Settings => General => VPN, DNS & Device Management, select downloaded profile and tap the "Install" button.

Mac:

  1. Ensure the downloaded file has proper extension: NAME.mobileconfig, not NAME.mobileconfig.txt.
  2. Choose Apple menu > System Settings, click Privacy and Security in the sidebar, then click Profiles on the right. (You may need to scroll down.)
  3. You may be asked to supply your password or other information during installation.
  4. In the Downloaded section, double-click the profile. Review the profile contents then click Continue, Install or Enroll to install the profile. If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones.

Providers

Censorship=yes (also known as "filtering") means the profile will not send true information about hostname=IP relation for some hosts.

Name Region Censorship Notes Install Install (unsigned)
360 Security DNS 🇨🇳 Yes Operated by 360 Digital Security Group HTTPS HTTPS
AdGuard DNS Default 🇷🇺 Yes Operated by AdGuard Software Ltd. Blocks ads, tracking & phishing HTTPS, TLS HTTPS, TLS
AdGuard DNS Family Protection 🇷🇺 Yes Operated by AdGuard Software Ltd. Blocks Default + malware & adult content HTTPS, TLS HTTPS, TLS
AdGuard DNS Non-filtering 🇷🇺 No Operated by AdGuard Software Ltd. Non-filtering HTTPS, TLS HTTPS, TLS
Alekberg Encrypted DNS 🇳🇱 No Independent HTTPS HTTPS
Aliyun Public DNS 🇨🇳 No Operated by Alibaba Cloud Ltd. HTTPS, TLS HTTPS, TLS
BlahDNS CDN Filtered 🇺🇸 Yes Independent. Blocks ads, tracking & malware HTTPS HTTPS
BlahDNS CDN Unfiltered 🇺🇸 No Independent. Non-filtering HTTPS HTTPS
BlahDNS Germany 🇩🇪 Yes Independent. Blocks ads, tracking & malware HTTPS HTTPS
BlahDNS Singapore 🇸🇬 Yes Independent. Blocks ads, tracking & malware HTTPS HTTPS
Canadian Shield Private 🇨🇦 No Operated by the Canadian Internet Registration Authority (CIRA) HTTPS, TLS HTTPS, TLS
Canadian Shield Protected 🇨🇦 Yes Operated by the Canadian Internet Registration Authority (CIRA). Blocks malware & phishing HTTPS, TLS HTTPS, TLS
Canadian Shield Family 🇨🇦 Yes Operated by the Canadian Internet Registration Authority (CIRA). Blocks malware, phishing & adult content HTTPS, TLS HTTPS, TLS
Cleanbrowsing Family Filter 🇺🇸 Yes Filters malware & adult, mixed content HTTPS, TLS HTTPS, TLS
Cleanbrowsing Adult Filter 🇺🇸 Yes Filters malware & adult content HTTPS, TLS HTTPS, TLS
Cleanbrowsing Security Filter 🇺🇸 Yes Filters malware HTTPS, TLS HTTPS, TLS
Cloudflare 1.1.1.1 🇺🇸 No Operated by Cloudflare Inc. HTTPS, TLS HTTPS, TLS
Cloudflare 1.1.1.1 Security 🇺🇸 Yes Operated by Cloudflare Inc. Blocks malware & phishing HTTPS HTTPS
Cloudflare 1.1.1.1 Family 🇺🇸 Yes Operated by Cloudflare Inc. Blocks malware, phishing & adult content HTTPS HTTPS
DNS4EU 🇨🇿 No Operated by a consortium lead by Whalebone. HTTPS, TLS HTTPS, TLS
DNS4EU Protective 🇨🇿 Yes Operated by a consortium lead by Whalebone. Blocks Malware. HTTPS, TLS HTTPS, TLS
DNS4EU Protective ad-blocking 🇨🇿 Yes Operated by a consortium lead by Whalebone. Blocks Malware and Ads HTTPS, TLS HTTPS, TLS
DNS4EU Protective with child protection 🇨🇿 Yes Operated by a consortium lead by Whalebone. Blocks malware and explicit content. HTTPS, TLS HTTPS, TLS
DNS4EU Protective with child protection & ad-blocking 🇨🇿 Yes Operated by a consortium lead by Whalebone. Blocks Malware, Ads and explicit content HTTPS, TLS HTTPS, TLS
DNSPod Public DNS 🇨🇳 No Operated by DNSPod Inc., a Tencent Cloud Company HTTPS, TLS HTTPS, TLS
FDN 🇫🇷 No Operated by French Data Network HTTPS, TLS HTTPS, TLS
FFMUC-DNS 🇩🇪 No FFMUC free DNS servers provided by Freifunk München. HTTPS, TLS HTTPS, TLS
Google Public DNS 🇺🇸 No Operated by Google LLC HTTPS, TLS HTTPS, TLS
keweonDNS 🇩🇪 No Operated by Aviontex. Blocks ads & tracking HTTPS, TLS HTTPS, TLS
Mullvad DNS 🇸🇪 Yes Operated by Mullvad VPN AB HTTPS HTTPS
Mullvad DNS Adblock 🇸🇪 Yes Operated by Mullvad VPN AB. Blocks ads & tracking HTTPS HTTPS
OpenDNS Standard 🇺🇸 No Operated by Cisco OpenDNS LLC HTTPS HTTPS
OpenDNS FamilyShield 🇺🇸 Yes Operated by Cisco OpenDNS LLC. Blocks malware & adult content HTTPS HTTPS
Quad9 🇨🇭 Yes Operated by Quad9 Foundation. Blocks malware HTTPS, TLS HTTPS, TLS
Quad9 w/ ECS 🇨🇭 Yes Operated by Quad9 Foundation. Supports ECS. Blocks malware HTTPS, TLS HTTPS, TLS
Quad9 Unfiltered 🇨🇭 No Operated by Quad9 Foundation. HTTPS, TLS HTTPS, TLS
Tiarap 🇸🇬 🇺🇸 Yes Operated by Tiarap Inc. Blocks ads, tracking, phising & malware HTTPS, TLS HTTPS, TLS

Signed Profiles

To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on developer.apple.com. In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.

On demand activation

You can optionally exclude some trusted Wi-Fi networks where you don't want to use encrypted DNS. To do so, add your SSIDs in the OnDemandRules section inside the PayloadContent dictionary of a profile. Note: you can't edit signed profiles.

Contributing a new profile

To add a new provider, or edit an existing one, edit json files in src directory.

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
cloudflareconfiguration-profilednsencrypted-dnsgooglehttpsiosmacosmobileconfigopendnsoverquad9rfc7858rfc8484tls
Readme Unlicense 988 KiB
Languages
JavaScript 71.1%
TypeScript 26.7%
Shell 2.2%