Setting up DNS over HTTPS on macOS

Back in April, Cloudflare announced a privacy-focused DNS server running at (and, and that it supported DNS over HTTPS. A lot of regular traffic goes over HTTPS these days, but DNS queries to look up the IP address of a domain are still unencrypted, so your ISP can still snoop on which servers you’re visiting even if they can’t see the actual content. We have a Mac mini that runs macOS Server and does DHCP and DNS for our home network, among other things, and with the impending removal of those functions and their suggested replacements with regular non-UI tools with a upcoming version of it, I figured now would be a good time to look into moving us over to use Cloudflare’s shiny new DNS server at the same time.

Turns out it wasn’t that difficult!


  1. Install Homebrew.
  2. Install cloudflared and dnsmasq: brew install cloudflare/cloudflare/cloudflared dnsmasq
  3. Configure dnsmasq to point to cloudflared as its own DNS resolver.
  4. Configure cloudflared to use DNS over HTTPS and run on port 54.
  5. Install both as services to run at system boot.

Configuring dnsmasq

Edit the configuration file located at /usr/local/etc/dnsmasq.conf and uncomment line 66 and change it from server=/localnet/ to server= to tell it to pass DNS requests onto localhost on port 54, which is where cloudflared will be set up.

Configuring cloudflared

Create the directory /usr/local/etc/cloudflared and create a file inside that called config.yml with the following contents:

no-autoupdate: true
proxy-dns: true
proxy-dns-port: 54

Auto-update is disabled because that seems to break things when the update occurs, and the service doesn’t start back up correctly.

Configuring dnsmasq and cloudflared to start on system boot

dnsmasq: sudo brew services start dnsmasq will both start it immediately and also set it to start at system boot.

cloudflared: sudo cloudflared service install, which installs it for launchctl at /Library/LaunchDaemons/com.cloudflare.cloudflared.plist.

Updating your DNS servers

Now that dnsmasq and cloudflared are running, you need to actually tell your machines to use them as their DNS servers! Open up System Preferences > Network, hit Advanced, and in the DNS tab click the + button and put your computer’s local IP address in. (You’ll want to make sure your machine has a static IP address, of course). Repeat the process for everything else on your local network to have them all send their DNS traffic to as well.

You can confirm that all your DNS traffic is going where it should be with dnsleaktest.

And done!

I was surprised at how straightforward this was. I also didn’t realise until I was doing all of this that dnsmasq also does DHCP, so with the assistance of this blog post I’ve also replaced the built-in DHCP server on the Mac mini and continue to have full local hostname resolution as well!

6 thoughts on “Setting up DNS over HTTPS on macOS

  1. how do you make MacoS t resove dns cloudflare though, ive done the above, but my dns resolves via google’s still

    1. Oh crap, I neglected to put that crucial last step into the blog post! I’ll update it, but you need to go into System Preferences > Network and set your DNS server to the IP address of the machine that’s running dnsmasq. 🙂

  2. Would this conflict with my VPN settings? Is there a way to graphically manage these settings, or is always through terminal? I tend to forget what settings I make in terminal and if it’s not right in front of my face these settings become invisible to me.

    1. Would this conflict with my VPN settings?

      Hmm, it’d depend on what specifically you’re doing… you’re referring to having your machine connected to a VPN and routing all your traffic through it? I’d think that this setup would be completely ignored and all your traffic would be tunnelled through the VPN connection anyway. If it’s a split-horizon DNS setup where only specific routes go through the VPN, you’d have all the stuff that ISN’T going via the VPN being sent to Cloudflare instead.

      Is there a way to graphically manage these settings, or is always through terminal? I tend to forget what settings I make in terminal and if it’s not right in front of my face these settings become invisible to me.

      Hah, I know that feeling. As far as I know there’s no graphical front-end for it, unfortunately. 🙁

    1. Not stupid at all! 🙂 I have dnsmasq because it’s also doing the DHCP and DNS for my local network as well, so rather than having to remember IP addresses when I’m connecting to various machines, I can just use their hostname.

      (Well, I did have dnsmasq, I’ve since moved this whole setup to OpenWRT on our router).

Leave a Reply

Your email address will not be published. Required fields are marked *