DNS Encryption

There has been an arms race in the field of privacy during the last decades. While users try to protect their privacy using encryption and tools like Little Snitch, government agencies and Big Tech companies try to squeeze out any bit of information they can get from the remaining data patterns.

It turned out that the list of internet sites you visit reveals enough information infer your interests beliefs. Governments are after this information to determine the potential risks you pose, Big Tech uses it to attract your attention.

Following the revelations by Edward Snowden, most Internet traffic switched to encrypted transfer via HTTPS. Free certificates from Let’s Encrypt allowed this to happen in large scale. What was long neglected, though, was the name lookup. Before a web page can be requested, even when it is encrypted, the server name must be resolved to an IP address via DNS. This name resolution is almost unchanged since the beginning of the Internet!

We have pointed out that the names of the sites you visit are sufficient to get a plethora of information about you and that name lookups are performed without encryption by default. This is where DNS Encryption comes into play.

How it works

Little Snitch implements DNS encryption via a DNS Proxy network extension. If such a network extension is registered with the system, macOS sends all unencrypted DNS lookups (recognized by the port number 53) to the network extension, regardless of original target and regardless of the process originating the lookup.

Little Snitch receives these lookups and re-packages them in an encrypted protocol suitable for the selected encrypted DNS service. It then sends the encrypted packet to the DNS server of your choice (regardless of original target), waits for the response, decrypts it and feeds it back as if it were a response from the originally targeted DNS server.

To enable DNS encryption in Little Snitch, go to the DNS Encryption settings page.

Encryption protocols

Little Snitch supports the following protocols for DNS encryption:

DNS over TLS (DoT): The same protocol which is normally used unencrypted on port 53 is encrypted with TLS.
DNS over HTTPS (DoH): DNS packets are encapsulated in encrypted web page requests. This can be used even if a corporate firewall blocks DoT because it cannot easily be distinguished from normal web page requests.
DNS over QUIC (DoQ): Similar to DoH above, but uses the newer and faster QUIC protocol for the web request.

When you choose a protocol, make sure the server of your choice supports it, too!

Whom do you trust?

One thing is for sure: The organization providing encrypted DNS can see all your lookups and has all the information you want to keep confidential via DNS encryption. You must trust this organization that they use the info only in consent with your interests. So whom do you trust? Google? Cloudflare? It’s no coincidence that Big Tech companies provide this service for free.

We do not want to give an explicit recommendation, but the self-definition of Quad9 looks promising. They claim: “When your devices use Quad9 normally, no data containing your IP address is ever logged in any Quad9 system”. And even Wikipedia has no negative claims.

Other than that we can only recommend that you look at the privacy policy of the service in question.

Limitations

macOS accepts only one DNS Proxy network extension. If you already have another app which provides this service, you cannot enable it in Little Snitch.
If your default DNS server enhances the public DNS database with private entries such as your printer or TV, these private entries are not available at the encrypted DNS. You can work around this by configuring an exception, though.
All lookups are sent to the encrypted DNS server, regardless of the original target. Apps using DNS for database lookups on dedicated servers, e.g. DNS based blocklist, might fail.
Your computer may still leak server name information, e.g. in the Server Name Indication extension to TLS (the protocol used in HTTPS).