DNS Encryption

DNS Encryption Settings

When you enable DNS encryption, macOS redirects all unencrypted DNS lookups on port 53 to Little Snitch, regardless of the original name server targeted. Little Snitch then forwards the lookup in encrypted form to a server of your choice and feeds the response back to macOS, which in turn responds to the process as if the lookup had been made by traditional means.

DNS Encryption — Enable or disable this feature.
Encrypted DNS Server — Little Snitch comes with a set of predefined services for DNS encryption (Quad9, Google, Cloudflare, …), or you can choose an arbitrary server.
Transport Mechanism — How to encrypt and transfer data on the way to the encrypted DNS server. For predefined services only mechanisms known to be available are offered. For custom servers we offer:
- DNS over TLS (DoT): The original DNS protocol encrypted via TLS, the mechanism used for secure web sites.
- DNS over HTTPS (DoH): A new protocol which encapsulates DNS lookups and responses in HTTPS requests and responses. This may be useful to tunnel firewalls because it is indistinguishable from secure web site traffic.
- DNS over QUIC (DoQ): Similar to DoH above, but uses the newer and faster QUIC protocol instead of HTTPS.
DNS Encryption Exceptions — Often times the default DNS resolver is your local modem and it adds local entries such as your printer or TV to DNS. The IP address of your local printer and TV are certainly not known by a public encrypted resolver and queries for these devices should be sent unencrypted to the originally targeted resolver. You can configure these exceptions here. Exceptions can be specific to a profile (e.g. your TV will be available at home, but not at work) and you may provide a fixed DNS resolver which is used instead of the original target.
Test — DNS encryption requires successful interaction of various components, and if it works correctly, it is indistinguishable from unencrypted DNS lookups. Use this button to test whether lookups are actually sent in encrypted form and to debug potential problems.