Add Support for Encrypted Custom DNS (DoH/DoQ) on macOS
Currently, Proton VPN on macOS only allows custom DNS configuration via plaintext IPv4. This exposes DNS queries to interception and does not align with Proton’s privacy-first principles.
Please add support for encrypted DNS protocols—DNS-over-HTTPS (DoH, RFC 8484) and DNS-over-QUIC (DoQ, RFC 9250)—within the macOS app’s DNS settings.
Many providers, such as NextDNS, do not accept unencrypted IPv4 queries unless pre-authorized. This limits usability and reduces privacy.
Optional IPv6 support should also be respected where resolvers prefer or require it.
Adding encrypted DNS support would ensure stronger protection of user traffic beyond the VPN tunnel and reinforce Proton’s commitment to privacy by default.
ProtonEnjoyer
shared this idea
-
Johan Smith commented
that is so informative and i would love to see that\
-
Privacy Advocate
commented
I already wrote a similar response on the iOS thread, and I'm adding roughly the same comment here for the mac thread.
Privacy and Security Problems with Plaintext DNS on macOS
DNS visibility beyond the VPN tunnel
Even though ProtonVPN encrypts traffic between the device and the VPN server, the DNS queries from the exit server to the resolver remain unencrypted. This allows the exit server’s ISP or any intermediate network to see the domains users visit.Exposure to interception and tampering
Plaintext DNS can be intercepted or modified. Without encryption, a malicious or compromised network could redirect traffic or block specific domains.Loss of end-to-end privacy
DNS queries reveal browsing activity. Without encryption between the exit node and the resolver, ProtonVPN users still leak metadata to third parties, which undermines the purpose of using a privacy-first VPN.Inconsistency with Proton’s “Privacy by Default” principle
Proton promotes complete user privacy and minimal trust in intermediaries. However, unencrypted DNS between the exit server and resolver contradicts that mission, especially for users who rely on privacy-centric resolvers like NextDNS or self-hosted DoH services.Specific Feature Requests for ProtonVPN macOS
Support DNS-over-HTTPS (DoH, RFC 8484)
Allow users to specify custom encrypted DNS resolvers via DoH endpoints, ensuring DNS queries remain private beyond the VPN tunnel.Support DNS-over-QUIC (DoQ, RFC 9250)
Add support for DoQ to provide faster, connectionless, and fully encrypted DNS resolution.Support IPv4 and IPv6
Enable both IPv4 and IPv6 addresses or hostnames for custom encrypted resolvers instead of IPv4-only input.Maintain end-to-end encryption
Ensure DNS queries are encrypted from the user’s device through the VPN tunnel and continue encrypted all the way to the resolver.Add transparency for DNS status and fallbacks
Inform users when ProtonVPN is using encrypted DNS and warn if a fallback to plaintext occurs, so users understand their privacy posture in real time.Why This Matters for ProtonVPN macOS Users
Eliminates plaintext DNS exposure and prevents metadata leaks.
Protects against DNS interception, manipulation, and censorship.
Aligns ProtonVPN’s macOS client with Proton’s broader privacy-by-design philosophy.
Makes the “Custom DNS” feature genuinely privacy-enhancing for advanced users.
Supporting encrypted DNS (DoH and DoQ) would close one of the few remaining privacy gaps in ProtonVPN’s macOS app and strengthen Proton’s claim to full end-to-end protection for its users.
-
Purple Dragon
commented
I agree. In the name of privacy, it just make sense to extend custom DNS support to support encrypted DNS (DoH, DoT, DoQ, etc) entries too rather than just IPv4 addresses that only support unencrypted DNS queries.