DNS over HTTPS has been fun to try out. I’ve been using Cloudflare’s command line client/service/proxy configuration and working through some of the quirks with day to day use.
In a nutshell: A DNS proxy is setup on your local machine that makes DNS over HTTPS requests to Cloudflare’s 220.127.116.11 and 18.104.22.168 servers. Your configured DNS server is 127.0.0.1, and lookups are encrypted between your local machine and 22.214.171.124. With this data encrypted, your service provider (home ISP, coffee shop, hotel, airport, etc…) does not see the domain name requests that are made.
This works great until you join a wireless network with some kind of captive portal requiring you to either login or accept some kind of terms. At that point, the network’s DNS is usually used to provide the address for that captive portal and no other network activity is allowed until that process completes. In many cases, this will not be compatible with a DNS over HTTPS configuration.
There are a handful of steps required for switching back and forth, which could be a pain if you’re frequently bouncing between locations.
- Enable or disable the
- Enable or disable the
dnsmasqservice (if using that to capture local
.testlookups for example)
- Change the DNS configuration to either 127.0.0.1 or a default config to allow the network to serve its own DNS.
To handle this, I wrote a couple quick bash scripts that I can use to reduce my annoyance and toggle things back and forth.
doh-enable script turns on
cloudflared, turns on
dnsmasq, and sets the local IP as a DNS server:
# doh-enable: enables the DNS over HTTPS config sudo launchctl setenv TUNNEL_DNS_PORT 54 sudo launchctl load /Library/LaunchDaemons/com.cloudflare.cloudflared.plist sudo brew services start dnsmasq networksetup -setdnsservers Wi-Fi 127.0.0.1
doh-disable script turns off
cloudflared, turns off
dnsmasq, and empties the custom DNS server config to accept the network default:
# doh-disable: disables the DNS over HTTPS config sudo launchctl unload /Library/LaunchDaemons/com.cloudflare.cloudflared.plist sudo brew services stop dnsmasq networksetup -setdnsservers Wi-Fi empty
Now when I encounter a captive portal situation, all I need to do is type one command, sign in, then type another.
If you’re interested in trying out DNS over HTTPS, I found the Cloudflare documentation well written and this article helpful for getting
dnsmasq running alongside it.