Use Cloudflare DNS with TLS on Mac OS X - GUI and CLI-way

Tags: #<Tag:0x00007f389ee625e8> #<Tag:0x00007f389ee62430> #<Tag:0x00007f389ee62200> #<Tag:0x00007f389ee61fd0> #<Tag:0x00007f389ee61e90>

#1 on 1.4.18 - typical day on the interwebs

We are all pro-Privacy engineering now. To counter the unknown within the known Web universe. To go, where no one went before… or where we shouldn’t go in the first place.

But sometimes these computers tend to go somewhere, where we actually don’t want them to be… One of the reasons for that usually is DNS.

We all know DNS is like the phone-call history of the web. It matters where and how we resolve names to IP numbers; and the other way around. For speed, for confidentiality and for integrity. Because no one likes to be intercepted at DNS level.
That seems to happen to random people as well. And for what ever reason no one and nothing is truly random. That’s life.

And… that’s where DNS over TLS comes in today. Helping random people do do random things in the Web-universe… without a second pair of eyes. Because no one is as random as it seems.

Does DNS over TLS help

To some degree the following steps can help, also to use Cloudflare’s new DNS server ( and with TLS support on Mac OS X.

StubbyManager - GUi for /me

I also use the Stubby Manager GUI, because it’s fast and easy, and I hate editing yaml-files with Vim:

Get it here, Save-as, double-click, and it’s going to work with the default servers. These exclude Cloudflare, for now.

Click the “Advanced…” button, and paste this in (no empty lines, no tabs):

# The Cloudflare servers
  - adress_data:
    tls_auth_name: ""
      - digest: "sha256"
        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=

Click Start, Test and check the Logs. Done. If you are interested in the Dev-level details, please continue to scroll and read along.

Install stuff - the Dev-way

So how does this work… Magic? - Nope… Witchcraft? - Nope… Must be!

Stubby is a local DNS resolver stub, that is available via Homebrew or MacPorts as well.

To keep it simple, I chose to use Homebrew here:

➜  ~ brew install stubby
Updating Homebrew...

Check the output. Should be fine.

Configure stuff

Here we go (assuming you chose the same default prefixes):

➜  ~ sudo vim /usr/local/etc/stubby/stubby.yml

# Ordered list composed of one or more transport protocols:
# If only one transport value is specified it will be the only transport used.
# Should it not be available basic resolution will fail.
# Fallback transport options are specified by including multiple values in the
# list.  Strict mode (see below) should use only GETDNS_TRANSPORT_TLS.

The fallbacks are my personal choice. It’s documented… do what you like. Anyways, what we need to check is the SPKI. If you are interested in the standard I recommend the RFC.

Get the SPKI pin from Cloudflare:

   echo | openssl s_client -connect '' 2>/dev/null | \
   openssl x509 -pubkey -noout | \
   openssl pkey -pubin -outform der |\ 
   openssl  dgst -sha256 -binary | \ 
   openssl enc -base64
DNS current SPKI Policy
Cloudflare yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc= Link
Cloudflare yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=
Quad9 ZMZ1T16d9Qc5uvRpUn/mu6fh4+IdoJGOEKjANut91Io= unknown

Back to stubby.yml (hint: do not use tabs in yaml files):

# The Cloudflare servers
  - adress_data:
    tls_auth_name: ""
      - digest: "sha256"
        value: yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=


Please take a look at the DNS Privacy Project {1}, and don’t just replace with With the Stubby GUI it should be simple enough.

These are very early approaches, based on RFC 7858 {2}. I hope that at some point a more secure way for DNS resolving becomes standard practice.


{1} DNS Privacy Project
{2} RFC 7868