Configuration profiles for DNS over HTTPS and DNS over TLS.
Check out the article for more info: paulmillr.com/posts/encrypted-dns/ and info about contributing a new profile.
Censorship=yes means the profile will not send true information about hostname=IP relation for some hosts.
All profiles include a Wi-Fi-only exception for http://captive.apple.com/hotspot-detect.html in order for hotel/cafe networks to work properly.
| Name | Country | Censorship | Notes | Install button |
|---|---|---|---|---|
| AdGuard Default | 🇷🇺 | Yes | Operated by AdGuard (Filters ads, tracking & phishing) | HTTPS, TLS |
| AdGuard Family | 🇷🇺 | Yes | Operated by AdGuard (Filters Default + malware & adult content) | HTTPS, TLS |
| AdGuard No Filter | 🇷🇺 | No | Operated by AdGuard (Non-filtering) | HTTPS, TLS |
| AliDNS | 🇨🇳 | Yes | Operated by Alibaba in China | HTTPS, TLS |
| Alekberg | 🇳🇱 | No | Independent hoster in Netherlands | HTTPS |
| BlahDNS CDN Filtered | 🇺🇸 | Yes | Independent | HTTPS |
| BlahDNS CDN Unfiltered | 🇺🇸 | No | Independent | HTTPS |
| BlahDNS Finland Adsblock | 🇫🇮 | Yes | Independent | HTTPS |
| BlahDNS Germany Adsblock | 🇩🇪 | Yes | Independent | HTTPS |
| BlahDNS Japan Adsblock | 🇯🇵 | Yes | Independent | HTTPS |
| BlahDNS Singapore Adsblock | 🇸🇬 | Yes | Independent | HTTPS |
| BlahDNS Swiss Adsblock | 🇨🇭 | Yes | Independent | TLS |
| Canadian Shield Private | 🇨🇦 | No | Operated by the Canadian Internet Registration Authority (CIRA) | HTTPS, TLS |
| Canadian Shield Protected | 🇨🇦 | Yes | Filters malware | HTTPS, TLS |
| Canadian Shield Family | 🇨🇦 | Yes | Filters malware & adult content | HTTPS, TLS |
| Cloudflare | 🇺🇸 | No | Operated by Cloudflare 1.1.1.1 | HTTPS, TLS |
| Cloudflare Malware | 🇺🇸 | Yes | Filters malware | HTTPS |
| Cloudflare Family | 🇺🇸 | Yes | Filters malware & adult content | HTTPS |
| DNSPod | 🇨🇳 | Yes | Operated by DNSPod (Tencent) in China | HTTPS, TLS |
| 🇺🇸 | No | Operated by Google | HTTPS, TLS | |
| OpenDNS | 🇺🇸 | No | Operated by OpenDNS | HTTPS |
| OpenDNS Family | 🇺🇸 | Yes | Filters malware & adult content | HTTPS |
| Quad9 | 🇨🇭 | Yes | Operated by CleanerDNS, Inc. Filters malware | HTTPS, TLS |
| Quad9 With ECS | 🇨🇭 | Yes | Operated by CleanerDNS, Inc. Filters malware | HTTPS, TLS |
| Tiar.app | 🇸🇬 🇺🇸 | Yes | "Privacy-first DNS provider" from SG, hosted on Digital Ocean. Filters malware | HTTPS, TLS |
To make settings work across all apps in iOS 14 and newer & MacOS Big Sur and newer, you’ll need to install configuration profile. This profile would tell operating system to use DOH / DOT. Note: it’s not enough to simply set server IPs in System Preferences — you need to install a profile.
To install, simply open the file in GitHub, and then click/tap on install button. The profile should download. On macOS, double click on the downloaded file to open it in settings, and approve instalation. On iOS, go to System Settings => General => Profile, select downloaded profile and tap the “Install” button.
In the signed folder, we have slightly outdated signed versions of the profiles in this repository. These profiles have been signed by @Candygoblen123 so that when you install the profiles, they will have a verified check box on the installation screen. It also ensures that these profiles have not been tampered with. However, since they were signed by a third party, they may lag behind their unsigned counterparts a little.
To verify resolver IPs and hostnames, compare mobileconfig files to their documentation URLs. Internal workings of the profiles are described on developer.apple.com. In order to verify signed mobileconfigs, you will need to download them to your computer and open them in a text editor, because signing profiles makes GitHub think that they are binary files.
Profiles are basically text files. Copy an existing one and change its UUID, for example, by generating a new one online. Make sure you update README with new profile's info.
We can't fix the issues, only Apple can: