text/gemini; lang=en
# Adventures in DNS over TLS for MacOS
Security and privacy is a journey, there is always something to do that can improve your current state. I have been meaning to check out DNS over TLS (DoT) and finally had a chance to this weekend.
First thing I did was check out https://www.privacytools.io/providers/dns/[1][2] for their recommendations. Under the recommendations for desktops I saw two new options from when I had looked into this many months (or years) ago. I had tried dnscrypt-proxy before and it did work OK at the time but it is not using the current DoT method. The new options I found were Unbound and Stubby so I decided to try those.
=> https://www.privacytools.io/providers/dns/ 1: https://www.privacytools.io/providers/dns/
=> https://www.privacytools.io/providers/dns/ 2: https://www.privacytools.io/providers/dns/
## Unbound
After reading a bit about Unbound on the website[3] and a few other random sites from searching DDG I learned that the best way to install this is with the DNSSEC-TRIGGER[4] package which includes DNSSEC functionality and Unbound. This installs easily on MacOS but unbound is not enabled by default. I spent about an hour reading various manuals tutorials and got unbound working as a forwarder but it still wasn't setup to use TLS. Plus most of the tutorials I found were for Linux or were describing how to setup unbound as a server that would provide service for your entire network, but I just wanted this service locally. Here are a couple of the helpful sites I found:
=> https://nlnetlabs.nl/projects/unbound/about/ 3: https://nlnetlabs.nl/projects/unbound/about/
=> https://nlnetlabs.nl/projects/dnssec-trigger/about/ 4: https://nlnetlabs.nl/projects/dnssec-trigger/about/
* https://sizeof.cat/post/unbound-on-macos/[5][6]
=> https://sizeof.cat/post/unbound-on-macos/ 5: https://sizeof.cat/post/unbound-on-macos/
=> https://sizeof.cat/post/unbound-on-macos/ 6: https://sizeof.cat/post/unbound-on-macos/
* https://www.redhat.com/sysadmin/forwarding-dns-2[7][8]
=> https://www.redhat.com/sysadmin/forwarding-dns-2 7: https://www.redhat.com/sysadmin/forwarding-dns-2
=> https://www.redhat.com/sysadmin/forwarding-dns-2 8: https://www.redhat.com/sysadmin/forwarding-dns-2
So I decided to look into the second option and see if it was any easier.
## Stubby
You can read all about Stubby on their website[9]. For the MacOS there is a daemon called stubby and also an optional GUI manager application. The install is very easy if you already have homebrew installed. Just run:
=> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby 9: https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Daemon+-+Stubby
> brew update
> brew install stubby
Then follow the instruction at https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS[10][11] to download and install the GUI. Setup is simple with the GUI and I was running a DoT enabled DNS daemon in about 10 minutes from landing on the Stubby website.
=> https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS 10: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS
=> https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS 11: https://dnsprivacy.org/wiki/display/DP/Stubby+GUI+for+macOS
To validate your DNS setup you can use websites such as https://www.dnsleaktest.com[12][13].
=> https://www.dnsleaktest.com 12: https://www.dnsleaktest.com
=> https://www.dnsleaktest.com 13: https://www.dnsleaktest.com
### Related posts:
=> /gemlog/tags/stubby Posts with tag 'stubby'
=> /gemlog/tags/unbound Posts with tag 'unbound'
=> /gemlog/tags/dot Posts with tag 'dot'
=> /gemlog/tags/dns Posts with tag 'dns'
=> /gemlog/tags/tls Posts with tag 'tls'
=> /gemlog/tags/privacy Posts with tag 'privacy'
=> /gemlog/tags/security Posts with tag 'security'
``` Post metadata
tags: stubby, unbound, DoT, DNS, TLS, privacy, security
timestamp: 2020-09-20 11:10:10
```
This content has been proxied by September (3851b).