[landerwust]

DNSCrypt needs meaningful industry support otherwise it's sadly irrelevant. I think by now we can all agree "industry support" basically means the 3 browser vendors. DoH has at least Mozilla and Google on board, and presumably Microsoft are tailing along.

[GoblinSlayer]

If they allow to configure DoH server, you can use https://github.com/DNSCrypt/dnscrypt-proxy

[gsnedders]

> DoH has at least Mozilla and Google on board, and presumably Microsoft are tailing along.

Note that DoH (and DoT) shipped in iOS 14 and Big Sur, though aren't particularly easy to enable.

[xoa]

>Note that DoH (and DoT) shipped in iOS 14 and Big Sur, though aren't particularly easy to enable.

Specifically, you must install a properly configured .mobileprofile with HTTPS/TLS in the DNSSettings > DNSProtocol part of the payload (along with DNS server addresses of course). Merely pointing at a DoH/DoT supporting DNS server in the settings GUI won't do it, the OS doesn't do any probing and automatically use it just because it's available. For applications DNS Settings is covered under the Network Extension framework [0].

It's definitely nice Apple now has this built-in, and since they're onboard with Cloudflare/Fastly maybe this new twist will be pretty fast too. But obviously they're going to have to make this more automated for it to really make a widespread difference, ideally it'd simply see if the supplied DNS server (manual or DHCP) could run DoH/DoT and then just use it by default with no interaction required.

----

0: https://developer.apple.com/documentation/networkextension/d...

[throwaway67239]

Also, macOS will not let you enable a DoH profile and Little Snitch (or probably any other tool using the Network Extension framework) at the same time. I don't know if this is a bug or intended behavior, but it's a disappointment.

[alwillis]

Note that DoH (and DoT) shipped in iOS 14 and Big Sur, though aren't particularly easy to enable.

You can use something like iMazing Profile Editor [1] to create a .mobileprofile (which is just XML) to configure DoH or DoT.

[1]: https://imazing.com/profile-editor

[xoa]

Out of curiosity, what's the difference vs Apple's first party "Apple Configurator"? Do you like the GUI better, or does it expose more options?

[alwillis]

I do like the UI/UX better; I've always found Apple Configurator to be clunky and non-intuitive.

[1over137]

Anyone have any idea why they chose to require 'configuration profiles' here?

Also, don't 'configuration profiles' require that your Mac have an associated AppleID?

[alwillis]

Anyone have any idea why they chose to require 'configuration profiles' here?

There are several tools that can push configuration profiles to many macOS or iOS devices in one go [1]. It's also the kind of thing you don't want users in managed environments messing with if they don't know what they're doing.

Also, don't 'configuration profiles' require that your Mac have an associated AppleID?

I can't see why they'd be connected; being able to configure network settings isn't a "feature" related to having an Apple ID.

[1]: https://support.apple.com/guide/deployment-reference-macos/w...