Avoid DNS leaks on OS X

Recently more and more high wall,With the relationship between fascism and the moon cake festival,Many also demolished the ladder。Even developers are also several ladders?,So,In addition to "How science online," this issue,"How to stay safe online," this issue has become more and more people can not be ignored。

I know all of you not only to use,It is a general use computer access,I think this issue should also receive attention。Everything you say in the network above all by your service provider、ISP unavoidably record ...... It was originally a good purpose - once over the network thugs attack,We can quickly arrested him - but,Once this information fall into the wrong hands,That would be disastrous。

Generally, we would like,What's that history has something important to do? As long as my account password secure enough ah! Actually,It is these information,An opportunity to hackers。Your these materials,Will becomeSocial engineeringCreative attack。

So what is it DNS leak?

Use the Internet browser,Enter your domain name will depend on DNS to translate IP address - the computer can not know what is a domain name。So,You may access the contents through the https encryption,But the same ISP can record what you visit those sites!

Even if you use a proxy to access the network and VPN,Your DNS may still be resolved locally,This will cause your hidden whereabouts becomes meaningless! - This is the number one threat to personal privacy:DNS leak

For now,When you use a VPN when,DNS should be resolved remotely,However, some providers do not support it;Also, if you usesocksproxy,Then only 5 SupportedRemote DNS resolution


If you use a pac,Then you need aAccording to the domain nameTo choose instead of the IP proxy pac。- Because it will still be parsed and then determine whether you need a proxy IP。

Otherwise,You may disclose the DNS:

What is DNS leak

What is DNS leak

DNS forwarding transparent

This time it was suggested,If you use a VPN,To avoid DNS poisoning (actually leaked a),To use a third party's public DNS service,For example, Google's ,But if your DNS leaked,Even with public DNS will not help:

DNS forwarding transparent

DNS forwarding transparent

Do you think you access to a third party on a public DNS,In fact, you still visit the ISP's DNS server。

More details about the visit leaked DNS:https://dnsleaktest.com/what-is-a-dns-leak.html

To test DNS leak,access:https://dnsleaktest.com

Use dnscrypt and dnsmasq

dnscrypt It is a project of the Open DNS,It allows you to encrypt access to DNS server,And parse domain name。If using https to access web sites。and dnsmasq It is a lightweight DNS server,We set up a local caching DNS to resolve it Reply,So we do not at the same time, repeated many times to resolve the same domain name - after all, than the plaintext encryption DNS resolution resolves quickly。


In fact, among the most Linux systems, dnsmasq is the default comes - it does not bloated,It will not consume much resources。


In order to install and dnsmasq dnscrypt ,You need to install Xcode - we need to use Xcode comes with a number of command-line tools。

After installing Xcode,Use the command to install the Homebrew:

It is similar apt-get or yum The package manager,Once it is installed,You may need the following settings:

Slow brew update image update source solutions

Install dnsmasq

use brew install dnsmasq To install it。

We edit its configuration:

For example, the following configuration:

Then write an additional configuration: echo "conf-dir=/usr/local/etc/dnsmasq.d" >> /usr/local/etc/dnsmasq.conf To make the configuration directory to put more rules take effect:

For example, domestic Taobao, Jingdong such sites,I think you will not go Agent,So there is no need to deal with encryption,Because many domestic use cdn acceleration,We have foreign words will cause the DNS resolution went on an overseas line,Very slow。If you need to encrypt,This step can be skipped?。

Setting Start:

use sudo lsof -There is no UDP:53 or ps -if | grep '[d]nsmasq ' Dnsmasq has started to verify。

Although dnsmasq is used as the DNS cache,It is also generally used in micro-server such as a DHCP server on OpenWRT。In fact, it used more in this respect。But do not worry,dnsmasq default installation we do not open the DHCP function。

Installation dnscrypt

use brew install dnscrypt-proxy Install dnscrypt。

Setting Start:

Edit profile,The local address to listen cope with dnsmasq:

in <string>/usr/local/opt/dnscrypt-proxy/sbin/dnscrypt-proxy</string> Below this line insert: <string>--local-address=</string> ,Good to avoid conflict and dnsmasq dnsmasq and only allow access to it:

At last,use sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist Start Service。

use sudo lsof -There is no UDP:5355 or ps -if | grep '[d]nscrypt' To verify that the service is already in force。

there is a corresponding dnscrypt dnscrypt-wrapper,It is compatible dnscrypt-proxy encryption - which means you can use it to build their own server without using public dnscrypt dnscrypt server。- This is used against DNS poisoning - you can refer to the end of "Further Reading" in the link to learn more。

Network Configuration

turn on Preferences → Advanced → Network →DNSTab ,Only fill And save it。

DNS settings

DNS settings


Use dig to verify whether the two were working properly:


From Denmark dnscrypt server

From Denmark dnscrypt server

Further reading

Compile and install anti-pollution dnscrypt-wrapper build DNS server

dnsmasq (Simplified Chinese)

Privacy & Security Guide on OS X

Original article written by Gerber drop-off:R0uter's Blog » Avoid DNS leaks on OS X

Reproduced Please keep the source and description link:https://www.logcg.com/archives/1311.html

About the Author


The non-declaration,I have written articles are original,Reproduced, please indicate the link on this page and my name。


  1. Are launchctl load can then open another instance dnscrypt it?
    For example, I would like to use the two lines corresponding to two ports — cisco — fvz-rec-hk-ztw-01

    1. Theoretically possible,You need to copy plist,Then get rid of the port,This should be able to start two instances,I have not tried,If this is not,That should not alright,Try it yourself。
      Another method is to use docker from service,In this case since several are ok。
      Or write the script with the traditional way of linux :)

  2. macOS latest system execute sudo launchctl load /Library/LaunchDaemons/homebrew.mxcl.dnscrypt-proxy.plist do not start to take effect,But I can access through google shadowsocksx、facebook,What happens then?Executive dig http://www.google.com @ -p 5355也是connection timed out; no servers could be reached,But you can access

Leave a Reply

Your email address will not be published. Required fields are marked *