DNS over TLS (DoT) on mac with stubby and dnsforge

This is a step-by-step guide on how to setup DNS over TLS (DoT) on mac with stubby.

1. Install Stubby

Install stubby on your mac with homebrew:

brew install stubby

2. Configure stubby

Write the following config to /opt/homebrew/etc/stubby/stubby.yml. This config uses dnsforge as the encrypted DNS resolver, though you may use any encrypted DNS resolver of your choice.

################################################################################
######################## STUBBY YAML CONFIG FILE ###############################
################################################################################

log_level: GETDNS_LOG_NOTICE

resolution_type: GETDNS_RESOLUTION_STUB

dns_transport_list:
  - GETDNS_TRANSPORT_TLS

tls_authentication: GETDNS_AUTHENTICATION_REQUIRED
tls_query_padding_blocksize: 128
edns_client_subnet_private: 1

round_robin_upstreams: 1
idle_timeout: 10000
tls_connection_retries: 3
tls_backoff_time: 300
timeout: 5000
tls_min_version: GETDNS_TLS1_3

listen_addresses:
  - 127.0.0.1
  - 0::1

upstream_recursive_servers:
  ## dnsforge.de - IPv4
  - address_data: 49.12.67.122
    tls_port: 853
    tls_auth_name: "dnsforge.de"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=

  - address_data: 91.99.154.175
    tls_port: 853
    tls_auth_name: "dnsforge.de"
    tls_pubkey_pinset:
      - digest: "sha256"
        value: m51QwAhzNDSa3G7c1Y6eOEsskzp6ySzeOqy0LKcptDw=

3. Run stubby as a service

To make sure stubby runs on startup, run it as a service:

sudo brew services start stubby

4. Change default DNS Server

Navigate to Settings -> Network -> Wi-Fi. Click on details for your wifi and navigate to DNS. Remove any present IPs or hostnames, and add two IPs: 127.0.0.1 and ::1.

And you're all set!