Big Sur and later (Encrypted)
DNS over TLS (DoT) and DNS over HTTPS (DoH) are now supported natively in MacOS Big Sur and later.
Please follow the steps below to install the Quad9 DNS Profile.
VPNs, iCloud Private Relay, Little Snitch
When using iCloud Private Relay, most VPN clients, or Little Snitch, it will not utilize/respect this DNS profile.
VPN: do not follow these instructions. Instead set Quad9's IP addresses in the
Custom DNSsettings of your VPN client. Refer to your VPN client's documentation for further information.
Apple Private Relay: do not follow these instructions. Apple private relay will use its own DNS servers at the system level, with no way to override it
- Firefox is set to use Cloudflare DNS by default in some regions. If you're using Firefox, check that this is disabled.
Choosing DNS over TLS or DNS over HTTPS
DNS over TLS is recommended if the device will mainly connect to Wi-Fi networks you control, or on corporate networks where DNS over TLS is allowed.
DNS over HTTPS is recommended if the device will frequently connect to guest Wi-Fi, and/or networks you do not administrate, as DoH is not as commonly blocked on firewalls.
Before You Start
The App Store, as well as the
nslookup commands in a
Terminal do not use encrypted DNS. This is by design.
DNS over TLS
If connected to a Wi-Fi network which blocks DNS over TLS, which may occur on restrictive network firewalls, you will have to disable the profile or disconnect from the network to regain DNS resolution. This solution does not allow for unencrypted "fallback" behavior. DNS over HTTPS is recommended for most users
This profile will expire!
These profiles are only valid until they expire, at which point, they will automatically disable until a new profile is installed. This is by design of Apple, and there is no way around it."
Download one of the profiles here directly using Safari on your MacOS device. You must use Safari to download the file.
If you do not know which file to choose, we recommend DNS over HTTPS - 188.8.131.52 (DNSSEC, Threat-Blocking)
184.108.40.206 (DNSSEC, Threat-Blocking)
220.127.116.11 (No DNSSEC, no Threat-Blocking) (Expires Feb 1st, 2024)
18.104.22.168 (DNSSEC, Threat-Blocking, with ECS)
22.214.171.124 (No DNSSEC, no Threat-Blocking, with ECS)
- Navigate to your Downloads folder and select to the profile you just downloaded.
Profile Downloadedand select the Quad9 profile you opened.
- Click Install
- Enter your phone's passcode
- Click Install
Select Install, then Install again.
The profile is now installed. Select
To confirm the installation was successful, visit on.quad9.net
Questions? Issues? Didn't work? Contact us!