Macintosh Security posted PAC Attacks When Using HTTPS! VPN To The Rescue with more good reasons to use VPN to secure your sensitive internet work. Since everyone already does that or uses only secure networks (right?) I was intrigued by the DNSCrypt information at the bottom to secure my internet address lookups.
DNSCrypt is a protocol that authenticates communications between a DNS client and a DNS resolver. It prevents DNS spoofing. It uses cryptographic signatures to verify that responses originate from the chosen DNS resolver and haven’t been tampered with.
On DNSCrypt.org go down to DNSCrypt for OSX for options to install on OS X (macOS). I used the first link for DNSCrypt-OSXClient installer. It was simple to download and install like any other app outside of the App Store.
Once installed find it as a new icon at the bottom of System Preferences and in the menu bar. The article mentioned OpenDNS and Cisco so I changed DNSCrypt Name Server from the obscure country to Cisco OpenDNS then clicked the big Enable DNSCrypt checkbox.
2. OpenDNS Root CA
Some sites, like Google, Facebook, and Twitter, don’t play along with OpenDNS. I found the helpful OpenDNS HSTS and Pinning Certificate Errors and used the OpenDNS Root CA link at the top to easily install their certificate.
But the errors persisted and this was not the full answer.
3. OpenDNS Updater
Then I stumbled across the very useful Certificate error on blocked domains when using OpenDNS which explains what is happening and gives both steps to the solution.
We already did the second step of installing the certificate, but the first step is to let OpenDNS know about your current IP address. The simplest solution is to create an OpenDNS login and get their OpenDNS Updater app. Once installed, launch it and login with your account. It adds a Login Item, appears in your menu bar, and does its thing automatically in the background.
The few remaining blocked sites now load normally and you’re set!