LuLu 2.0.0 doesn't play well with Encrypted DNS profiles in Big Sur (ex. NextDNS)

[dev9]

The Encrypted DNS profile feature added in Big Sur (a MacOS-level encrypted DNS implementation controlled through a configuration profile) doesn't seem to work with Lulu. The Encrypted DNS interface in Network Settings is greyed out when LuLu is enabled. When LuLu is disabled, one can click on the Encrypted DNS interface and then the additional settings button next to the +/- below and make the interface active, enabling encrypted DNS. The interface cannot be activated when LuLu is enabled.

For example, NextDNS provides a Encrypted DNS profile for its service at: https://apple.nextdns.io/

But if you try installing it per the instructions, you will find it is disabled under Network Settings (and Encrypted DNS is not provided) until LuLu is disabled and the Next DNS interface is made active by clicking the additional settings button next to the +/- below the interfaces and making the interface active.

[crcastle]

I can repro this also. Here is a zip of the Profile I'm using to enable Big Sur's newly added ability to use DNS over TLS or DNS over HTTPS (TLS in my test).

After I install the profile, I see this in System Preferences->Network:

If I click on the Quad9 item and then ... at the bottom and select "Make Service Active" and then click "Apply", nothing happens. The Quad9 entry stays as "Not Running".

If I disable LuLu from it's menubar drop-down and then make the Quad9 service active, Quad9 turns green and says "Running". I can then verify that Big Sur is using Quad9's DNS with something like https://dnsleaktest.com.

It's not clear to me if this is a LuLu bug or a bug with Apple's implementation of DNS over TLS/HTTPS or a more general Network Extension bug.

Let me know if you need anything else from my machine to debug! And thanks very much for all your work! I've been a follower (and supporter, although only at the $1/mo level) for a year or so.

[fate8383]

cannot agree more on this, all types of mobileconfig DOH setups does not work with the latest LULU. It took me while to figure this out. Disabling lulu activates DOH profile right away.

[Universal-Igloo]

Same issue here since over a year. Any update on this?

[beelux]

Any update on this? It's still not possible to use LuLu w/ DoH.

I'm still using LuLu and highly appreciate it, but I also would highly appreciate having DoH because of network restrictions.

[jc-frosty]

Same issue on Monterey.

[andsofine]

Same on Ventura

[objective-see]

Will look into this shortly (early January)! ....mahalo for the detailed bug report and repos (and your patience)

[kohded]

@objective-see, thanks for your work on this project.

I don't believe this is an issue with LuLu. People are also experiencing the same with Little Snitch, and I'm using LuLu with Mullvad DoH profile. My understanding is only one network filter can be enabled at a time. Here's the link explaining, with some possible work arounds using dnscrypt-proxy, or using iCloud Private Relay which I don't trust. You or someone else may understand this better if incorrect and have another solution, or maybe stuck until Apple fixes/changes this.

[andsofine]

Will it be possible to add support for custom dns built-in lulu?

[skull-squadron]

LuLu nondeterministically drops packets, causing ssh outbound connections to drop. Without LuLu, it works just fine.