2 files changed, 202 insertions, 1 deletions

diff --git a/stuff/dnsforge-dot-mac.html b/stuff/dnsforge-dot-mac.html
new file mode 100644
index 0000000..1fd9777
--- /dev/null
+++ b/stuff/dnsforge-dot-mac.html
@@ -0,0 +1,197 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <title>subh.space</title>
+    <style>
+        :root {
+            --bg0: #282828;
+            --bg1: #3c3836;
+            --fg: #ebdbb2;
+            --gray: #928374;
+            --yellow: #fabd2f;
+            --green: #b8bb26;
+            --orange: #fe8019;
+            --aqua: #8ec07c;
+        }
+
+        body {
+            font-family: 'Iosevka Nerd Font Propo', Iosevka;
+            line-height: 1.7;
+            color: var(--fg);
+            background-color: var(--bg0);
+            max-width: 780px;
+            margin: 40px auto;
+            padding: 0 20px;
+            -webkit-font-smoothing: antialiased;
+        }
+
+        h1 {
+            font-size: 2.2em;
+            color: var(--yellow);
+            border-bottom: 2px solid var(--bg1);
+            padding-bottom: 15px;
+            margin-bottom: 30px;
+        }
+
+        h2 {
+            font-size: 1.5em;
+            color: var(--aqua);
+            margin-top: 35px;
+            margin-bottom: 15px;
+            font-weight: 600;
+        }
+
+        p { margin-bottom: 1.2em; }
+
+        code {
+            font-family: 'Fira Code', 'JetBrains Mono', 'Courier New', monospace;
+            background-color: var(--bg1);
+            color: var(--orange);
+            padding: 3px 6px;
+            border-radius: 4px;
+            font-size: 0.9em;
+        }
+
+        pre {
+            background-color: #1d2021;
+            padding: 20px;
+            border-radius: 8px;
+            overflow-x: auto;
+            border: 1px solid var(--bg1);
+            margin-bottom: 1.5em;
+        }
+
+        pre code {
+            background-color: transparent;
+            padding: 0;
+            color: var(--fg);
+            color-scheme: dark;
+        }
+
+        .language-toml { color: var(--fg); }
+        .toml-key { color: var(--green); }
+        
+        ol, ul { margin-bottom: 1.5em; padding-left: 25px; }
+        li { margin-bottom: 0.8em; }
+        li pre { margin-top: 10px; margin-bottom: 10px; }
+
+    </style>
+</head>
+<body>
+
+<h1>DNS over TLS (DoT) on mac with stubby and dnsforge</h1>
+
+<p>This is a step-by-step guide on how to setup DNS over TLS (DoT) on mac with stubby</p>
+
+<h2>1. Install Stubby</h2>
+<p>Install stubby on your mac with homebrew</p> 
+<pre><code class="language-shell">brew install stubby
+</code></pre>
+
+<h2>2. Configure stubby</h2> 
+<p>write the following config to <code>/opt/homebrew/etc/stubby/stubby.yml</code></p>
+<p>This config uses dnsforge as the encrypted DNS resolver, though you may use any encrypted DNS resolver of your choice.</p>
+<pre><code class="language-yml">
+################################################################################
+######################## STUBBY YAML CONFIG FILE ###############################
+################################################################################
+
+################################### LOGGING ####################################
+log_level: GETDNS_LOG_NOTICE
+
+########################## BASIC & PRIVACY SETTINGS ############################
+resolution_type: GETDNS_RESOLUTION_STUB
+
+dns_transport_list:
+  - GETDNS_TRANSPORT_TLS
+
+# Strict mode - TLS auth REQUIRED, no plaintext fallback
+tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
+
+# Pad queries to 128 bytes to prevent size-based traffic analysis
+tls_query_padding_blocksize: 128
+
+# Hide client subnet from upstream resolvers
+edns_client_subnet_private: 1
+
+############################# CONNECTION SETTINGS ##############################
+# Distribute queries across all upstreams
+round_robin_upstreams: 1
+
+# Keep TLS connections alive for 10s to reduce handshake overhead
+idle_timeout: 10000
+
+# Retry/backoff settings
+tls_connection_retries: 3
+tls_backoff_time: 300
+
+# Per-query timeout (ms)
+timeout: 5000
+
+# Force TLS 1.3 minimum
+tls_min_version: GETDNS_TLS1_3
+
+################################ LISTEN ADDRESS ################################
+# Stubby listens locally on port 53
+# Point your system DNS to 127.0.0.1
+listen_addresses:
+  - 127.0.0.1
+  - 0::1
+
+############################### DNSSEC SETTINGS ################################
+# dnsforge.de performs DNSSEC validation upstream (ad flag confirmed)
+# Uncomment below to enforce DNSSEC locally as well
+# dnssec: GETDNS_EXTENSION_TRUE
+
+##################################  UPSTREAMS  #################################
+# dnsforge.de - no-log, DNSSEC-validating, ad-free resolver (DE)
+# PIN verified via: kdig -d @<ip> +tls-ca +tls-host=dnsforge.de example.com
+###############################################################################
+
+upstream_recursive_servers:
+
+  ## dnsforge.de - IPv4 primary
+  - address_data: 49.12.67.122
+    tls_port: 853
+    tls_auth_name: "dnsforge.de"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
+
+  ## dnsforge.de - IPv4 secondary
+  - address_data: 91.99.154.175
+    tls_port: 853
+    tls_auth_name: "dnsforge.de"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
+
+  ## dnsforge.de - IPv6 primary
+  - address_data: 2a01:4f8:c013:29d::122
+    tls_port: 853
+    tls_auth_name: "dnsforge.de"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
+
+  ## dnsforge.de - IPv6 secondary
+  - address_data: 2a01:4f8:c013:29d::175
+    tls_port: 853
+    tls_auth_name: "dnsforge.de"
+    tls_pubkey_pinset:
+      - digest: "sha256"
+        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=
+</code></pre>
+
+<h2>3. Run stubby as a service</h2>
+<p>To make sure stubby runs on startup, run it as a service</p>
+<pre><code class="language-shell">sudo brew services start stubby
+</code></pre>
+
+<h2>4. Change default DNS Server</h2>
+<p>Navigate to <code>Settings</code> -> <code>Network</code> -> <code>Wi-Fi.</code> Click on <code>details</code> for your wifi and navigate to <code>DNS.</code> Remove any present IPs or hostnames, and add two IPs <code>127.0.0.1</code> and <code>::1</code></p>
+<p>And you're all set!</p>
+</body>
+</html>
diff --git a/stuff/index.html b/stuff/index.html
index dbe2e86..bb258f9 100644
--- a/stuff/index.html
+++ b/stuff/index.html
@@ -91,7 +91,7 @@
         <nav>
             <ul>
                 <li>
-                    <a href="mullvad-dot.html">DNS over TLS (DoT) with mullvad</a>
+                    <a href="mullvad-dot.html">DNS over TLS (DoT) on linux with mullvad</a>
                     <span class="date">2026-04-14</span>
                 </li>
                 <li>
@@ -102,6 +102,10 @@
                     <a href="luks-encryption.html">Drive encryption with LUKS and cryptsetup</a>
                     <span class="date">2026-04-14</span>
                 </li>
+                <li>
+                    <a href="dnsforge-dot-mac.html">DNS over TLS (DoT) on mac with dnsforge</a>
+                    <span class="date">2026-04-14</span>
+                </li>
             </ul>
         </nav>
     </main>