You can change the DNS on your Mac and lock your settings to prevent changes.
Changing The Mac DNS
Mac’s allow you to quickly change the DNS via the Settings->Network>Network Name>DNS screen.
This is approach is quick and easy, but sometimes we want to enforce some of the changes and prefer to do it via the terminal. This is especially helpful for individuals, organizations, doing this across multiple devices.
These tips require a basic understanding of the Mac terminal application, and are considered to be more advanced. You can also follow our step-by-step setup for Mac here.
This guide will show you how to use terminal to update your DNS nameservers, and how to make it where the user is unable to change them at will.
Networksetup + chflags
Macs come with the networksetup and the chflags command line (CLI) utilities. These utilities allow a user to configure the network and set files as immutable (i.e., unable to be changed).
That’s all you will use to change your devices DNS nameservers and prevent users from making changes.
1. Identify Your Interfaces
Identifying the interface you are working with is critical. It will tell you what is active, and what you are using.
Via your terminal application, run the networksetup utility with the list all network services option:
$ sudo networksetup -listallnetworkservices
This will give you a response that looks like this:
An asterisk (*) denotes that a network service is disabled. USB ACM Thunderbolt Ethernet Slot 1 USB 10/100/1000 LAN USB 10/100/1000 LAN 2 Wi-Fi Bluetooth PAN Thunderbolt Bridge
More often than not, you will be using the “Wi-Fi” interface, that’s how you are connecting to the internet. This can change, depending on your local configuration.
2. Set Interface with DNS
In our instance, we are using the “Wi-Fi” interface so we can now use the networksetup utility with the set dns servers option:
sudo networksetup -setdnsservers Wi-Fi 184.108.40.206
That will force the Wi-Fi interface to use the CleanBrowsing DNS (e.g., 220.127.116.11 / Family Filter). If it works, you won’t get any warning or error in the terminal.
You can verify by opening the /etc/resolve.conf file. Something like this:
$ cat /etc/resolv.conf
Output would look like this:
$ cat /etc/resolv.conf # # macOS Notice # # This file is not consulted for DNS hostname resolution, address # resolution, or the DNS query routing mechanism used by most # processes on this system. # # To view the DNS configuration used by this system, use: # scutil --dns # # SEE ALSO # dns-sd(1), scutil(8) # # This file is automatically generated. # nameserver 18.104.22.168
3. Stop Changes to DNS Locally
The last step is to disallow changes to the DNS locally. You can do that by using a different utility. In this case, we’ll use chflags with the schg option.
MAC devices allow network changes to be made on this file:
So to stop that, we have to make it immutable with chflags.
Via your terminal, you can run this command:
sudo chflags schg /Library/Preferences/SystemConfiguration/preferences.plist
With these 2 commands you will change the DNS servers and block anyone from making changes in the future. You can automate them on your deployment scripts to force all Macs to be configured the same way. You can also force the DNS on any interface you want (e.g., Ethernet).