Known issues with iOS/macOS system Encrypted DNS (DoH) support

A number of known bugs have been found in the new iOS 14 and macOS 11 Encrypted DNS support. This page summarizes those bugs with current status of resolution and workaround when available.

macOS & iOS: VPN Conflict

When a VPN is connected, the Encrypted DNS profile is ignored in favor of the DNS server advertised by the VPN with no option to change this behavior. The DNS profile is still shown as active in the OS settings, which is confusing for the user.

We believe that Encrypted DNS should be part of the traffic going through the VPN as it is the case on other platforms. If you agree, please submit your feedback to Apple using Feedback Assistant.

Status: reported, probably won't fix

macOS: Chrome ignores Encrypted DNS in some cases

In some (still unidentified) cases, Chrome & Chromium ignore the system configured Encrypted DNS profile and use the system's legacy UDP DNS instead. We can't reproduce this issue consistently, we are seeking for more data to qualify the issue.

Status: investigating, please report if you reproduce

iOS: Safari UX bug with blocked domains

Since iOS 14, when a URL with a blocked domain is clicked or entered into the location bar, Safari does not show an error, the action is just ignored. This only happens when the domain is blocked with a IP (NextDNS default).

Chrome on iOS shows an error properly.

Status: reported
Workaround: enable the Block Page feature

macOS: Content Filter extension conflict

When an application using the content filter extension like Little Snitch is active, the system Encrypted DNS profile is ignored.

Status: not reported

3replies Oldest first
  • Oldest first
  • Newest first
  • Active threads
  • Popular
  • Comments:

    VPN Conflict - enabled but marked "Not working" in macOS 11.2.3, though still confusing.

    It is also the case with Kaspersky Internet Security, some settings can even inject httpS traffic.

    FYI Kaspersky and LittleSnitch works fine together... that makes a lot of filters before reaching out and both breaks the encrypted DNSR.

    Some VPNs allow to use other DNSR, this can help partially the problem.

    Chrome always use etc when it can not reach other DNSR.

    POC, use a fake/invalid DNSR and it will uses its own after a ~30 sec.

  • I’m not sure if this helps but on iOS/iPadOS I utilize DNS Cloak as my VPN Configuration and any VPN I use under the Personal VPN Category as well (i.e. NordVPN). I find this combo works well for me to get my encrypted DNS Lookups in addition to being able to browse the web in an encrypted fashion as well. It’s the only way I’ve been able to get both to function instead of using the new DNS Profile or the NextDNS iOS App.

    Mac I have no issues and I am able to use the NextDNS App in conjunction with NordVPN.

  • Just a suggestion to anyone on MacOS, simply run the NextDNS CLI instead of the official app or the encrypted DNS. As far I have tested the Profile is the one creating the issues. While that will/may be resolved in the future it is better to use the CLI since it offers the same or better functionality than the Profile since you can customize everything more. 

    Instructions are here: https://github.com/nextdns/nextdns/wiki/MacOS

    I have installed via brew which works perfectly system wide on my M1 Mac.