My Problem

I am using Google 8.8.8.8 DNS, and would like to use its Secure transports for DNS feature to make sure nobody is messing with the communication channel between Google and my Mac.

What Have I Tried

• Configuring the DNS from the network tab. Did not find any secure option there.

My Question

How do I configure MacOS to use a secure (DNS-over-TLS or DNS-over-HTTPS (DoH)) connection?

The easiest system-wide option is to use the third party utility “dnscrypt-proxy”:

https://github.com/jedisct1/dnscrypt-proxy

Follow their macOS guide to download, install and configure the program. This will essentially setup your system to that System Preferences show that your DNS server is 127.0.0.1 (localhost), which means that all programs using the system resolver sends their DNS requests to the proxy program running on your computer. The proxy program then handles the communication with external DNS servers using encryption.

You can download “dnscrypt-proxy switcher” to be able to quickly switch on/off the proxy usage from the menu bar.

Another possibility is to use only programs that in themselves support DNS-over-TLS or DNS-over-HTTPS. This is for example Firefox or Google Chrome. However, extra configuration is necessary.

In MacOS Big Sur and later, the secure transports (DNS over HTTPS, and over TLS) are supported by the operating system.

Paul Miller has a blog post describing their usage, linking to his GitHub page of suggested configuration profiles. To install on MacOS, go to your Profiles preference pane, and choose one of these profiles from there, as described by Apple on their support page.

Here, I quote Miller's profile for Google DoH:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>DNSSettings</key>
            <dict>
                <key>DNSProtocol</key>
                <string>HTTPS</string>
                <key>ServerAddresses</key>
                <array>
                    <string>2001:4860:4860::8888</string>
                    <string>2001:4860:4860::8844</string>
                    <string>8.8.8.8</string>
                    <string>8.8.4.4</string>
                </array>
                <key>ServerURL</key>
                <string>https://dns.google/dns-query</string>
            </dict>
            <key>PayloadDescription</key>
            <string>Configures device to use Google Encrypted DNS over TLS</string>
            <key>PayloadDisplayName</key>
            <string>Google DNS over HTTPS</string>
            <key>PayloadIdentifier</key>
            <string>com.apple.dnsSettings.managed.f0ffd552-7183-4f2e-86e5-ee1ecad2a53a</string>
            <key>PayloadType</key>
            <string>com.apple.dnsSettings.managed</string>
            <key>PayloadUUID</key>
            <string>556aa9a6-04bb-4144-9a1b-e1b20cda3b46</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>ProhibitDisablement</key>
            <false/>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Adds the Google DNS to Big Sur and iOS 14 based systems</string>
    <key>PayloadDisplayName</key>
    <string>Google Encrypted DNS over HTTPS</string>
    <key>PayloadIdentifier</key>
    <string>com.paulmillr.apple-dns</string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>B27E8E10-697D-4938-8745-7FFEEEED57A0</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>