Haven DNS
Private DNS Setup
Haven DNS is a private, filtering DNS resolver operated by Katafract. Configure it on your iPhone, Mac, or router and every device on that network gets ad blocking and tracker protection at the DNS layer — before requests leave your device.
Haven DNS Addresses
| Protocol | Address | Use when |
|---|---|---|
| DNS-over-HTTPS (DoH) | https://dns.katafract.com/dns-query |
Public-facing, iOS, Mac, browsers |
| DNS-over-TLS (DoT) | dns.katafract.com — port 853 |
Android, routers |
| Plain DNS (UDP port 53) | Available when connected via WraithVPN (uses node's WireGuard IP) | Only when on WraithVPN |
Setup Instructions
iOS supports encrypted DNS via configuration profiles. This is the recommended method — it applies system-wide, including in apps that don't respect manual DNS settings.
Download the Haven DNS profile
On your iPhone, open Safari and visit:
Safari will prompt you to download a configuration profile.
Install the profile
Open Settings → General → VPN & Device Management. Tap the Haven DNS profile, then tap Install in the top right. Enter your passcode when prompted.
Verify it's active
Go to Settings → Wi-Fi, tap your network name, and confirm the DNS field shows Haven (Katafract). Open any browser and visit a website — ads should be gone.
The profile configures DNS-over-HTTPS system-wide. It does not route your traffic through a VPN — only DNS queries go through Haven.
Open Network Settings
Go to System Settings → Network, select your active connection (Wi-Fi or Ethernet), click Details…, then the DNS tab.
Add Haven DNS servers
For encrypted DNS on Mac, download the Haven profile at dns.katafract.com/haven.mobileconfig, or use DNS-over-HTTPS in System Settings.
macOS 11+ supports encrypted DNS configuration profiles the same way as iOS. This is recommended for system-wide protection.
Setting Haven DNS at the router level protects every device on your network automatically — including smart TVs, game consoles, and guests.
Log in to your router
Open a browser and go to your router's admin page (commonly 192.168.1.1 or 192.168.0.1). Log in with your admin credentials.
Find DNS settings
Look for Internet, WAN, or DNS settings. The exact location varies by router brand (Netgear: Advanced → Setup → Internet Setup; Asus: WAN → Internet Connection; TP-Link: Advanced → Network → Internet).
Use Haven DNS via WraithVPN or encrypted protocols
For encrypted DNS without WraithVPN, configure your router to use DNS-over-HTTPS or DNS-over-TLS endpoints. When connected to WraithVPN, Haven DNS is built into the connection automatically.
Public plain DNS addresses have been removed. Haven DNS is accessed via encrypted endpoints (DoH/DoT) or automatically when using WraithVPN.
Most modern browsers support DNS-over-HTTPS natively. This only protects DNS queries made by the browser, not other apps.
Chrome / Edge / Brave
Go to Settings → Privacy and security → Security. Enable Use secure DNS, choose With Custom, and enter:
Firefox
Go to Settings → Privacy & Security, scroll to DNS over HTTPS, select Custom, and paste:
Safari
Safari uses system DNS. Use the iOS or Mac tab above for system-wide protection that covers Safari and all other apps.
What Haven Blocks
Free vs. Paid
Haven DNS is included with WraithVPN. See all plans →