How to Enable Encrypted DNS on macOS

Why Enable Encrypted DNS on macOS?

By default, DNS queries are sent in plain text over UDP port 53. This means your ISP, network administrator, or anyone on your local network can see every domain you visit. Encrypted DNS solves this by wrapping your DNS queries in TLS or HTTPS encryption.

• DNS-over-HTTPS (DoH) sends DNS queries inside HTTPS on port 443 — the same port used for web traffic. This makes it very difficult to block or detect.
• DNS-over-TLS (DoT) sends DNS queries encrypted via TLS on port 853. It is a dedicated protocol that is easier for network admins to manage but may be blocked on some networks.

This guide shows you how to configure DoH & DoT on macOS.

Step-by-Step Setup Instructions

Follow these steps to enable encrypted DNS on macOS:

1. Download a DNS profile
   macOS uses configuration profiles to enable encrypted DNS. Download a .mobileconfig profile from your preferred provider: Cloudflare offers one at one.one.one.one, Quad9 at quad9.net, or you can create a custom profile using Apple Configurator 2.
2. Install the profile
   Double-click the downloaded .mobileconfig file. macOS will open System Settings > Privacy & Security > Profiles (on macOS Ventura or later) or System Preferences > Profiles (on older versions). Click Install.
3. Approve the profile
   macOS will prompt you to review the profile contents. Verify it shows the correct DNS server addresses and encryption type (DoH or DoT). Enter your admin password and click Install to confirm.
4. Verify the profile is active
   Go to System Settings > Privacy & Security > Profiles. The DNS profile should appear as active. Alternatively, go to System Settings > Network > your connection > Details > DNS to see the encrypted DNS servers listed.
5. Test encrypted DNS
   Open Terminal and run: dig example.com. The SERVER line should show your configured DNS provider. Visit a DNS leak test site to confirm your ISP cannot see your DNS queries.

After configuring encrypted DNS, it is recommended to clear your DNS cache and test the configuration using a DNS leak test site.

Recommended Encrypted DNS Providers

These providers support encrypted DNS and are compatible with macOS:

Verify Your Encrypted DNS Setup

After configuring encrypted DNS on macOS, run our DNS Privacy Check to verify your queries are encrypted and your ISP cannot see your DNS traffic.

Encrypted DNS Guides for Other Platforms

Set up encrypted DNS on all your devices for comprehensive protection:

• Windows 11 (DoH)
• Android (DoT)
• iPhone & iPad (DoH & DoT)
• Firefox (DoH)
• Chrome (DoH)
• Microsoft Edge (DoH)
• Linux (systemd-resolved) (DoT)
• Unbound (DoT)
• Router (DoH & DoT)

Related Resources

• DoH vs DoT: Which encrypted DNS protocol should you use?
• DNS Privacy & Security Check tool
• Best private DNS servers
• All DNS guides
• Browse DNS servers by country

Frequently Asked Questions

Does macOS support encrypted DNS natively?

Yes. macOS 11 Big Sur and later supports encrypted DNS (both DoH and DoT) via configuration profiles. Apple introduced the NEDNSSettingsManager API which allows system-wide encrypted DNS without third-party apps.

How do I create a custom DNS profile for macOS?

Use Apple Configurator 2 (free on the Mac App Store) to create a .mobileconfig profile. Add a DNS Settings payload, select DNS over HTTPS or DNS over TLS, and enter your preferred server URLs. Export and install the profile.

Can I set encrypted DNS per network on macOS?

Configuration profiles apply system-wide to all networks by default. To limit encrypted DNS to specific networks, you need a third-party app or MDM solution. However, most users want encrypted DNS everywhere for consistent privacy protection.

Will a VPN override encrypted DNS settings on macOS?

Yes. Most VPN apps override DNS settings when connected, routing DNS queries through the VPN tunnel. When the VPN disconnects, macOS reverts to the profile-configured encrypted DNS servers. This is expected behavior.