Configuration profiles for DNS over HTTPS and DNS over TLS. Check out the article for more info: paulmillr.com/posts/encrypted-dns/. To add a new provider, or edit an existing one: see #contributing.
Install / download profile (.mobileconfig file) from a table below. After that:
iPhones, iPads:
- Open the file by using Safari (other browsers will just download the file and won't ask for installation)
- Tap on "Allow" button. The profile should download.
- Go to System Settings => General => VPN, DNS & Device Management, select downloaded profile and tap the "Install" button.
Mac:
- Ensure the downloaded file has proper extension: NAME.mobileconfig, not NAME.mobileconfig.txt.
- Choose Apple menu > System Settings, click Privacy and Security in the sidebar, then click Profiles on the right. You may need to scroll down. You may be asked to supply your password or other information during installation.
- In the Downloaded section, double-click the profile. Review the profile contents then click Continue, Install or Enroll to install the profile. If an earlier version of a profile is already installed on your Mac, the settings in the updated version replace the previous ones.
Censorship (also known as "filtering") means the profile will not send true information about hostname=IP relation for some hosts.
| Name | Region | Censorship | Notes | Install | Install (unsigned) |
|---|---|---|---|---|---|
| 360 Security DNS | 🇨🇳 | Yes | Operated by 360 Digital Security Group | HTTPS | |
| AdGuard DNS Default | 🇷🇺 | Yes | Operated by AdGuard Software Ltd. Blocks ads, tracking & phishing | HTTPS, TLS | |
| AdGuard DNS Family Protection | 🇷🇺 | Yes | Operated by AdGuard Software Ltd. Blocks Default + malware & adult content |
HTTPS, TLS | |
| AdGuard DNS Non-filtering | 🇷🇺 | No | Operated by AdGuard Software Ltd. Non-filtering | HTTPS, TLS | |
| Alekberg Encrypted DNS | 🇳🇱 | No | Independent | HTTPS | |
| Aliyun Public DNS | 🇨🇳 | No | Operated by Alibaba Cloud Ltd. | HTTPS, TLS | |
| BlahDNS CDN Filtered | 🇺🇸 | Yes | Independent. Blocks ads, tracking & malware | HTTPS | |
| BlahDNS CDN Unfiltered | 🇺🇸 | No | Independent. Non-filtering | HTTPS | |
| BlahDNS Germany | 🇩🇪 | Yes | Independent. Blocks ads, tracking & malware | HTTPS | |
| BlahDNS Singapore | 🇸🇬 | Yes | Independent. Blocks ads, tracking & malware | HTTPS | |
| Canadian Shield Private | 🇨🇦 | No | Operated by the Canadian Internet Registration Authority (CIRA) | HTTPS, TLS | |
| Canadian Shield Protected | 🇨🇦 | Yes | Operated by the Canadian Internet Registration Authority (CIRA). Blocks malware & phishing | HTTPS, TLS | |
| Canadian Shield Family | 🇨🇦 | Yes | Operated by the Canadian Internet Registration Authority (CIRA). Blocks malware, phishing & adult content | HTTPS, TLS | |
| Cleanbrowsing Family Filter | 🇺🇸 | Yes | Filters malware & adult, mixed content | HTTPS, TLS | |
| Cleanbrowsing Adult Filter | 🇺🇸 | Yes | Filters malware & adult content | HTTPS, TLS | |
| Cleanbrowsing Security Filter | 🇺🇸 | Yes | Filters malware | HTTPS, TLS | |
| Cloudflare 1.1.1.1 | 🇺🇸 | No | Operated by Cloudflare Inc. | HTTPS, TLS | |
| Cloudflare 1.1.1.1 Security | 🇺🇸 | Yes | Operated by Cloudflare Inc. Blocks malware & phishing | HTTPS | |
| Cloudflare 1.1.1.1 Family | 🇺🇸 | Yes | Operated by Cloudflare Inc. Blocks malware, phishing & adult content | HTTPS | |
| DNS4EU | 🇨🇿 | No | Operated by a consortium lead by Whalebone. | HTTPS, TLS | |
| DNS4EU Protective | 🇨🇿 | Yes | Operated by a consortium lead by Whalebone. Blocks Malware. | HTTPS, TLS | |
| DNS4EU Protective ad-blocking | 🇨🇿 | Yes | Operated by a consortium lead by Whalebone. Blocks Malware and Ads | HTTPS, TLS | |
| DNS4EU Protective with child protection | 🇨🇿 | Yes | Operated by a consortium lead by Whalebone. Blocks malware and explicit content. | HTTPS, TLS | |
| DNS4EU Protective with child protection & ad-blocking | 🇨🇿 | Yes | Operated by a consortium lead by Whalebone. Blocks Malware, Ads and explicit content | HTTPS, TLS | |
| DNSPod Public DNS | 🇨🇳 | No | Operated by DNSPod Inc., a Tencent Cloud Company | HTTPS, TLS | |
| FDN | 🇫🇷 | No | Operated by French Data Network | HTTPS, TLS | |
| FFMUC-DNS | 🇩🇪 | No | FFMUC free DNS servers provided by Freifunk München. | HTTPS, TLS | |
| Google Public DNS | 🇺🇸 | No | Operated by Google LLC | HTTPS, TLS | |
| keweonDNS | 🇩🇪 | No | Operated by Aviontex. Blocks ads & tracking | HTTPS, TLS | |
| Mullvad DNS | 🇸🇪 | Yes | Operated by Mullvad VPN AB | HTTPS | |
| Mullvad DNS Adblock | 🇸🇪 | Yes | Operated by Mullvad VPN AB. Blocks ads & tracking | HTTPS | |
| OpenDNS Standard | 🇺🇸 | No | Operated by Cisco OpenDNS LLC | HTTPS | |
| OpenDNS FamilyShield | 🇺🇸 | Yes | Operated by Cisco OpenDNS LLC. Blocks malware & adult content | HTTPS | |
| Quad9 | 🇨🇭 | Yes | Operated by Quad9 Foundation. Blocks malware | HTTPS, TLS | |
| Quad9 w/ ECS | 🇨🇭 | Yes | Operated by Quad9 Foundation. Supports ECS. Blocks malware | HTTPS, TLS | |
| Quad9 Unfiltered | 🇨🇭 | No | Operated by Quad9 Foundation. | HTTPS, TLS | |
| Tiarap | 🇸🇬 🇺🇸 | Yes | Operated by Tiarap Inc. Blocks ads, tracking, phising & malware | HTTPS, TLS | |
| ADNull DNS | 🇺🇦 | Yes | Operated by ADNull. Blocks ads & tracking | HTTPS |
- Some apps and protocols will ignore encrypted-dns:
- Firefox in specific regions, App Store in all regions. More info
- iCloud Private Relay, VPN clients
- Little Snitch, LuLu
- DNS-related CLI tools:
host,dig,nslookupetc.
- Wi-Fi captive portals in cafes, hotels, airports are exempted by Apple from eDNS rules; to simplify authentication - this is ok
- TLS DNS is easier for providers to block, because it uses non-standard port 853. More info
- e-dns over TOR could be better privacy-wise, but we don't have this for now.
- To add / edit a profile: edit json files in
srcdirectory. - To verify resolver IPs / hostnames: compare mobileconfig files to their original websites (open files in a text editor).
- Check out developer.apple.com for more docs.
- On demand activation: You can optionally exclude some trusted Wi-Fi networks where you don't want to use encrypted DNS. To do so, add your SSIDs in the OnDemandRules section inside the
PayloadContentdictionary of a profile.
-
npm run build- re-build profiles, signed profiles, READMEs -
npm run sign- re-sign all profiles (updatessignaturefield) using an ECC SSL certificate.- Signing is done using key-producer
- Let's Encrypt free certificates are OK, but expire in 45 days.
- Expects following files to be present in
certssubdirectory:
`privkey.pem` : the private key for your certificate. `fullchain.pem`: the certificate file used in most server software. `chain.pem` : used for OCSP stapling in Nginx >=1.3.7. `cert.pem` -
npm run new- interactively creates new profile from CLI options. Can also be ran with flags.scripts/new.test.tsincludes CLI snapshot tests and a PTY interactive flow test.- PTY test runs by default; set
NEW_TEST_PTY=0to opt out.
-
src/scripts/sign-single.ts --ca cert.pem --priv_key key.pem [--chain chain.pem] path.mobileconfig- sings single mobileconfig -
src/scripts/sign-single-openssl.ts --ca cert.pem --priv_key key.pem [--chain chain.pem] path.mobileconfigSign one.mobileconfigusing OpenSSL.- Uses
-nosmimecapto match local CMS signing policy.
- Uses
-
src/scripts/detach.ts signed.mobileconfig- detach CMS signature from signed profile and print PEM to stdout. -
npm run test- Parity check forsign-single.tsvssign-single-openssl.sh.- Generates temporary test root/signer certificates and keys via OpenSSL.
- Signs the same profile with
scripts/sign.tsandscripts/sign_openssl.sh. - Verifies detached content and embedded certificate set parity.
