Encrypt DNS traffic on MacOS

By default, DNS queries are sent as plain text (i.e. unencrypted) 😅 This means your internet provider, network administrators or anyone who’re on same network as you are can see thewebsites you're visiting. Even if a website uses HTTPS, the DNS query to resolve its domain is unencrypted.

Fortunately, 2 protocols, DNSCrypt or DNS-over-HTTPS (DoH) protocols encrypt DNS traffic.

If you’d like to start encrypting your DNS queries, one way to do it on MacOS is to start a proxy DNS server locally and point MacOS to it. This proxy DNS server receives unencrypted DNS queries and then proxies those queries to a public DNS server (Cloudflare DNS servers etc.) using DNSCrypt or DNS-over-HTTPS (DoH). One such proxy server you can run locally is dnscrypt-proxy

To install dnscrypt-proxy, run

brew install dnscrypt-proxy

Modify its configuration file /opt/homebrew/etc/dnscrypt-proxy.toml to proxy DNS queries to Cloudflare’s DNS servers

server_names = ['cloudflare', 'cloudflare-ipv6']

listen_addresses = ['127.0.0.1:53']

ipv4_servers = true
ipv6_servers = false

dnscrypt_servers = true
doh_servers = true

require_nolog = true
require_nofilter = true

cache = true
cache_size = 4096
cache_min_ttl = 2400
cache_max_ttl = 86400

[sources]
  [sources.public-resolvers]
  urls = [
    'https://raw.githubusercontent.com/DNSCrypt/dnscrypt-resolvers/master/v3/public-resolvers.md',
    'https://download.dnscrypt.info/resolvers-list/v3/public-resolvers.md',
  ]
  cache_file = 'public-resolvers.md'
  minisign_key = 'RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3'
  refresh_delay = 73

Start it

sudo brew services start dnscrypt-proxy

Finally, configure macOS to use dnscrypt-proxy.

127.0.0.1

Alternatively, open System Settings and search for “DNS servers”. Click on the “Details…” button beside your Wi-Fi (or any other internet connection if you’re not using Wi-Fi). Remove your existing DNS servers and add 127.0.0.1.

If you’d like to, you can verify if DNSCrypt Proxy is functional

dig google.com @127.0.0.1

Troubleshooting

If DNS queries start to fail after enabling dnscrypt-proxy, go through its logs

tail -f /opt/homebrew/var/log/dnscrypt-proxy.log

Worst case, restore your default DNS servers

networksetup -setdnsservers Wi-Fi empty
sudo brew services stop dnscrypt-proxy

Resources

• https://github.com/DNSCrypt/dnscrypt-proxy
• https://dnscrypt.info
• https://dnscrypt.info/public-servers