paulmillr / encrypted-dns

DNS over HTTPS config profiles for iOS & macOS
https://paulmillr.com/posts/encrypted-dns/
The Unlicense
3.37k stars 337 forks source link
cloudflare configuration-profile dns encrypted-dns google https ios macos mobileconfig opendns over quad9 rfc7858 rfc8484 tls

English | 简体中文 | 繁體中文

encrypted-dns-configs

Configuration profiles for DNS over HTTPS and DNS over TLS. Check out the article for more info: paulmillr.com/posts/encrypted-dns/ and info about contributing a new profile.

Caveats

DoH seems to work faster & better than DoT judging from the Google's article.

Starting from iOS & iPadOS 15.5, Wi-Fi captive portals in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication. This is good news. There are still some other issues; we can't fix them, only Apple can:

If you need even more privacy, check out encrypted-dns over TOR.

Providers

Censorship=yes means the profile will not send true information about hostname=IP relation for some hosts.

Name Region Censorship Notes Install (Signed - Recommended) Install (unsigned) button
360 Security DNS 🇨🇳 Yes Operated by 360 Digital Security Group HTTPS HTTPS
AdGuard DNS Default 🇷🇺 Yes Operated by AdGuard Software Ltd. Blocks ads, tracking & phishing HTTPS, TLS HTTPS, TLS
AdGuard DNS Family Protection 🇷🇺 Yes Operated by AdGuard Software Ltd. Blocks Default + malware & adult content HTTPS, TLS HTTPS, TLS
AdGuard DNS Non-filtering 🇷🇺 No Operated by AdGuard Software Ltd. Non-filtering HTTPS, TLS HTTPS, TLS
Alekberg Encrypted DNS 🇳🇱 No Independent HTTPS HTTPS
Aliyun Public DNS 🇨🇳 No Operated by Alibaba Cloud Ltd. HTTPS, TLS HTTPS, TLS
Archuser.org PubHole 🇺🇸 Yes Independent. Blocks ads, tracking, and supports OpenNIC Domains. HTTPS, TLS HTTPS, TLS
BlahDNS CDN Filtered 🇺🇸 Yes Independent. Blocks ads, tracking & malware HTTPS HTTPS
BlahDNS CDN Unfiltered 🇺🇸 No Independent. Non-filtering HTTPS HTTPS
BlahDNS Finland 🇫🇮 Yes Independent. Blocks ads, tracking & malware HTTPS HTTPS
BlahDNS Germany 🇩🇪 Yes Independent. Blocks ads, tracking & malware HTTPS HTTPS
BlahDNS Japan 🇯🇵 Yes Independent. Blocks ads, tracking & malware HTTPS HTTPS
BlahDNS Singapore 🇸🇬 Yes Independent. Blocks ads, tracking & malware HTTPS HTTPS
BlahDNS Switzerland 🇨🇭 Yes Independent. Blocks ads, tracking & malware TLS TLS
Canadian Shield Private 🇨🇦 No Operated by the Canadian Internet Registration Authority (CIRA) HTTPS, TLS HTTPS, TLS
Canadian Shield Protected 🇨🇦 Yes Operated by the Canadian Internet Registration Authority (CIRA). Blocks malware & phishing HTTPS, TLS HTTPS, TLS
Canadian Shield Family 🇨🇦 Yes Operated by the Canadian Internet Registration Authority (CIRA). Blocks malware, phishing & adult content HTTPS, TLS HTTPS, TLS
Cloudflare 1.1.1.1 🇺🇸 No Operated by Cloudflare Inc. HTTPS, TLS HTTPS, TLS
Cloudflare 1.1.1.1 Security 🇺🇸 Yes Operated by Cloudflare Inc. Blocks malware & phishing HTTPS HTTPS
Cloudflare 1.1.1.1 Family 🇺🇸 Yes Operated by Cloudflare Inc. Blocks malware, phishing & adult content HTTPS HTTPS
DNSPod Public DNS 🇨🇳 No Operated by DNSPod Inc., a Tencent Cloud Company HTTPS, TLS HTTPS, TLS
Google Public DNS 🇺🇸 No Operated by Google LLC HTTPS, TLS HTTPS, TLS
keweonDNS 🇩🇪 No Operated by Aviontex. Blocks ads & tracking HTTPS, TLS HTTPS, TLS
Mullvad DNS 🇸🇪 Yes Operated by Mullvad VPN AB HTTPS HTTPS
Mullvad DNS Adblock 🇸🇪 Yes Operated by Mullvad VPN AB. Blocks ads & tracking HTTPS HTTPS
OpenDNS Standard 🇺🇸 No Operated by Cisco OpenDNS LLC HTTPS HTTPS
OpenDNS FamilyShield 🇺🇸 Yes Operated by Cisco OpenDNS LLC. Blocks malware & adult content HTTPS HTTPS
Quad9 🇨🇭 Yes Operated by Quad9 Foundation. Blocks malware HTTPS, TLS HTTPS, TLS
Quad9 w/ ECS 🇨🇭 Yes Operated by Quad9 Foundation. Supports ECS. Blocks malware HTTPS, TLS HTTPS, TLS
Tiarap 🇸🇬 🇺🇸 Yes Operated by Tiarap Inc. Blocks ads, tracking, phising & malware HTTPS, TLS HTTPS, TLS

Installation

To make settings work across all apps in iOS, iPadOS & macOS, you'll need to install configuration profile. This profile would tell operating system to use DoH / DoT. Note: it's not enough to simply set server IPs in System Preferences — you need to install a profile.

iOS / iPadOS: Open the mobileconfig file in GitHub by using Safari (other browsers will just download the file and won't ask for installation), and then click/tap on "Allow" button. The profile should download. Go to System Settings => General => VPN, DNS & Device Management, select downloaded profile and tap the "Install" button.

macOS (official docs):

  1. Download and save the profile. After save, rename it to be in format: NAME.mobileconfig, not NAME.txt, or so
  2. Choose Apple menu > System Settings, click Privacy and Security in the sidebar, then click Profiles on the right. (You may need to scroll down.) You may be asked to supply your password or other information during installation.
  3. In the Downloaded section, double-click the profile.
  4. Review the profile contents then click Continue, Install or Enroll to install the profile.

    If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones.

Scope

There seems to be an additional option that allows to use system-wide profiles. To try it, add this to mobileconfig file:

<key>PayloadScope</key>
<string>System</string>

Signed Profiles

In the signed folder we have signed versions of the profiles in this repository. These profiles have been signed by @Xernium so that when you install the profiles, they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little. The signature is valid until 2025-11-02

Previous signatures by: @Xernium, replaced at 2024-11-01

@Candygoblen123, replaced at 2023-11-29

To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on developer.apple.com. In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.

Contributing a new profile

Profiles are basically text files. Copy an existing one and change its UUID, make sure you update README with new profile's info.

In addition to generating online, there are many other ways to generate a random UUID:

crypto.randomUUID();
# Works both in macOS & Linux
uuidgen

# Works in Linux
cat /proc/sys/kernel/random/uuid
New-Guid