Adventures in DNS over TLS for MacOS

Security and privacy is a journey, there is always something to do that can improve your current state. I have been meaning to check out DNS over TLS (DoT) and finally had a chance to this weekend.

First thing I did was check out https://www.privacytools.io/providers/dns/[1][2] for their recommendations. Under the recommendations for desktops I saw two new options from when I had looked into this many months (or years) ago. I had tried dnscrypt-proxy before and it did work OK at the time but it is not using the current DoT method. The new options I found were Unbound and Stubby so I decided to try those.

1: https://www.privacytools.io/providers/dns/
2: https://www.privacytools.io/providers/dns/

Unbound

After reading a bit about Unbound on the website[3] and a few other random sites from searching DDG I learned that the best way to install this is with the DNSSEC-TRIGGER[4] package which includes DNSSEC functionality and Unbound. This installs easily on MacOS but unbound is not enabled by default. I spent about an hour reading various manuals tutorials and got unbound working as a forwarder but it still wasn't setup to use TLS. Plus most of the tutorials I found were for Linux or were describing how to setup unbound as a server that would provide service for your entire network, but I just wanted this service locally. Here are a couple of the helpful sites I found:

3: https://nlnetlabs.nl/projects/unbound/about/
4: https://nlnetlabs.nl/projects/dnssec-trigger/about/
5: https://sizeof.cat/post/unbound-on-macos/
6: https://sizeof.cat/post/unbound-on-macos/
7: https://www.redhat.com/sysadmin/forwarding-dns-2
8: https://www.redhat.com/sysadmin/forwarding-dns-2

So I decided to look into the second option and see if it was any easier.

Stubby

You can read all about Stubby on their website[9]. For the MacOS there is a daemon called stubby and also an optional GUI manager application. The install is very easy if you already have homebrew installed. Just run:

9: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
brew update
brew install stubby

Then follow the instruction at https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS[10][11] to download and install the GUI. Setup is simple with the GUI and I was running a DoT enabled DNS daemon in about 10 minutes from landing on the Stubby website.

10: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS
11: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS

To validate your DNS setup you can use websites such as https://www.dnsleaktest.com[12][13].

12: https://www.dnsleaktest.com
13: https://www.dnsleaktest.com

Related posts:

Posts with tag 'stubby'
Posts with tag 'unbound'
Posts with tag 'dot'
Posts with tag 'dns'
Posts with tag 'tls'
Posts with tag 'privacy'
Posts with tag 'security'
tags: stubby, unbound, DoT, DNS, TLS, privacy, security
timestamp: 2020-09-20 11:10:10