Little Snitch 6 Help

DNS Encryption

There has been an arms race in the field of privacy during the last decades. While users try to protect their privacy using encryption and tools like Little Snitch, government agencies and Big Tech companies try to squeeze out any bit of information they can get from the remaining data patterns.

It turned out that the list of internet sites you visit reveals enough information infer your interests beliefs. Governments are after this information to determine the potential risks you pose, Big Tech uses it to attract your attention.

Following the revelations by Edward Snowden, most Internet traffic switched to encrypted transfer via HTTPS. Free certificates from Let’s Encrypt allowed this to happen in large scale. What was long neglected, though, was the name lookup. Before a web page can be requested, even when it is encrypted, the server name must be resolved to an IP address via DNS. This name resolution is almost unchanged since the beginning of the Internet!

We have pointed out that the names of the sites you visit are sufficient to get a plethora of information about you and that name lookups are performed without encryption by default. This is where DNS Encryption comes into play.

How it works

Little Snitch implements DNS encryption via a DNS Proxy network extension. If such a network extension is registered with the system, macOS sends all unencrypted DNS lookups (recognized by the port number 53) to the network extension, regardless of original target and regardless of the process originating the lookup.

Little Snitch receives these lookups and re-packages them in an encrypted protocol suitable for the selected encrypted DNS service. It then sends the encrypted packet to the DNS server of your choice (regardless of original target), waits for the response, decrypts it and feeds it back as if it were a response from the originally targeted DNS server.

To enable DNS encryption in Little Snitch, go to the DNS Encryption settings page.

Encryption protocols

Little Snitch supports the following protocols for DNS encryption:

When you choose a protocol, make sure the server of your choice supports it, too!

Whom do you trust?

One thing is for sure: The organization providing encrypted DNS can see all your lookups and has all the information you want to keep confidential via DNS encryption. You must trust this organization that they use the info only in consent with your interests. So whom do you trust? Google? Cloudflare? It’s no coincidence that Big Tech companies provide this service for free.

We do not want to give an explicit recommendation, but the self-definition of Quad9 looks promising. They claim: “When your devices use Quad9 normally, no data containing your IP address is ever logged in any Quad9 system”. And even Wikipedia has no negative claims.

Other than that we can only recommend that you look at the privacy policy of the service in question.

Limitations


Was this help page useful? Send feedback.
© 2016-2024 by Objective Development Software GmbH