encrypted-dns-configs
Configuration profiles for DNS over HTTPS and DNS over TLS. Check out the article for more info: paulmillr.com/posts/encrypted-dns/ and info about contributing a new profile.
Caveats
DoH seems to work faster & better than DoT judging from the Google's article.
Starting from iOS 15.5, Wi-Fi captive portals in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication. This is good news. There are still some other issues; we can't fix them, only Apple can:
- eDNS gets disabled: Little Snitch & Lulu, VPN
- Some traffic is exempt from eDNS: Terminal / App Store, Chrome
Providers
Censorship=yes
means the profile will not send true information about hostname=IP
relation for some hosts.
Name | Country | Censorship | Notes | Install button |
---|---|---|---|---|
AdGuard Default | ๐ท๐บ | Yes | Operated by AdGuard (Filters ads, tracking & phishing) | HTTPS, TLS |
AdGuard Family | ๐ท๐บ | Yes | Operated by AdGuard (Filters Default + malware & adult content) | HTTPS, TLS |
AdGuard No Filter | ๐ท๐บ | No | Operated by AdGuard (Non-filtering) | HTTPS, TLS |
AliDNS | ๐จ๐ณ | Yes | Operated by Alibaba in China | HTTPS, TLS |
Alekberg | ๐ณ๐ฑ | No | Independent hoster in Netherlands | HTTPS |
BlahDNS CDN Filtered | ๐บ๐ธ | Yes | Independent | HTTPS |
BlahDNS CDN Unfiltered | ๐บ๐ธ | No | Independent | HTTPS |
BlahDNS Finland Adsblock | ๐ซ๐ฎ | Yes | Independent | HTTPS |
BlahDNS Germany Adsblock | ๐ฉ๐ช | Yes | Independent | HTTPS |
BlahDNS Japan Adsblock | ๐ฏ๐ต | Yes | Independent | HTTPS |
BlahDNS Singapore Adsblock | ๐ธ๐ฌ | Yes | Independent | HTTPS |
BlahDNS Swiss Adsblock | ๐จ๐ญ | Yes | Independent | TLS |
Canadian Shield Private | ๐จ๐ฆ | No | Operated by the Canadian Internet Registration Authority (CIRA) | HTTPS, TLS |
Canadian Shield Protected | ๐จ๐ฆ | Yes | Filters malware | HTTPS, TLS |
Canadian Shield Family | ๐จ๐ฆ | Yes | Filters malware & adult content | HTTPS, TLS |
Cloudflare | ๐บ๐ธ | No | Operated by Cloudflare 1.1.1.1 | HTTPS, TLS |
Cloudflare Malware | ๐บ๐ธ | Yes | Filters malware | HTTPS |
Cloudflare Family | ๐บ๐ธ | Yes | Filters malware & adult content | HTTPS |
DNSPod | ๐จ๐ณ | Yes | Operated by DNSPod (Tencent) in China | HTTPS, TLS |
๐บ๐ธ | No | Operated by Google | HTTPS, TLS | |
OpenDNS | ๐บ๐ธ | No | Operated by OpenDNS | HTTPS |
OpenDNS Family | ๐บ๐ธ | Yes | Filters malware & adult content | HTTPS |
Quad9 | ๐จ๐ญ | Yes | Operated by CleanerDNS, Inc. Filters malware | HTTPS, TLS |
Quad9 With ECS | ๐จ๐ญ | Yes | Operated by CleanerDNS, Inc. Filters malware | HTTPS, TLS |
Tiar.app | ๐ธ๐ฌ ๐บ๐ธ | Yes | "Privacy-first DNS provider" from SG, hosted on Digital Ocean. Filters malware | HTTPS, TLS |
Installation
To make settings work across all apps in iOS & MacOS, youโll need to install configuration profile. This profile would tell operating system to use DOH / DOT. Note: itโs not enough to simply set server IPs in System Preferences โ you need to install a profile.
To install, simply open the file in GitHub by using Safari (other browsers will just download the file and won't ask for installation), and then click/tap on install button. The profile should download. On macOS, double click on the downloaded file to open it in settings, and approve instalation. On iOS, go to System Settings => General => Profile, select downloaded profile and tap the โInstallโ button.
Signed Profiles
In the signed folder, we have slightly outdated signed versions of the profiles in this repository. These profiles have been signed by @Candygoblen123 so that when you install the profiles, they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little.
To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on developer.apple.com. In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.
Contributing a new profile
Profiles are basically text files. Copy an existing one and change its UUID, for example, by generating a new one online. Make sure you update README with new profile's info.