Manually Change DNS on a Mac (Terminal)

You can change the DNS on your Mac and lock your settings to prevent changes. Shows you how to change DNS on a Mac via a Terminal

Changing The Mac DNS

Mac’s allow you to quickly change the DNS via the Settings->Network>Network Name>DNS screen.

This is approach is quick and easy, but sometimes we want to enforce some of the changes and prefer to do it via the terminal. This is especially helpful for individuals, organizations, doing this across multiple devices.

These tips require a basic understanding of the Mac terminal application, and are considered to be more advanced. You can also follow our step-by-step setup for Mac here.

This guide will show you how to use terminal to update your DNS nameservers, and how to make it where the user is unable to change them at will.

Networksetup + chflags

Macs come with the networksetup and the chflags command line (CLI) utilities. These utilities allow a user to configure the network and set files as immutable (i.e., unable to be changed).

That’s all you will use to change your devices DNS nameservers and prevent users from making changes.

1. Identify Your Interfaces

Identifying the interface you are working with is critical. It will tell you what is active, and what you are using.

Via your terminal application, run the networksetup utility with the list all network services option:

$ sudo networksetup -listallnetworkservices

This will give you a response that looks like this:

An asterisk (*) denotes that a network service is disabled.
Thunderbolt Ethernet Slot 1
USB 10/100/1000 LAN
USB 10/100/1000 LAN 2
Bluetooth PAN
Thunderbolt Bridge

More often than not, you will be using the “Wi-Fi” interface, that’s how you are connecting to the internet. This can change, depending on your local configuration.

2. Set Interface with DNS

In our instance, we are using the “Wi-Fi” interface so we can now use the networksetup utility with the set dns servers option:

sudo networksetup -setdnsservers Wi-Fi

That will force the Wi-Fi interface to use the CleanBrowsing DNS (e.g., / Family Filter). If it works, you won’t get any warning or error in the terminal.

You can verify by opening the /etc/resolve.conf file. Something like this:

$ cat /etc/resolv.conf 

Output would look like this:

$ cat /etc/resolv.conf 
# macOS Notice
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
# To view the DNS configuration used by this system, use:
#   scutil --dns
#   dns-sd(1), scutil(8)
# This file is automatically generated.

3. Stop Changes to DNS Locally

The last step is to disallow changes to the DNS locally. You can do that by using a different utility. In this case, we’ll use chflags with the schg option.

MAC devices allow network changes to be made on this file:


So to stop that, we have to make it immutable with chflags.

Via your terminal, you can run this command:

sudo chflags schg /Library/Preferences/SystemConfiguration/preferences.plist

That’s it.

With these 2 commands you will change the DNS servers and block anyone from making changes in the future. You can automate them on your deployment scripts to force all Macs to be configured the same way. You can also force the DNS on any interface you want (e.g., Ethernet).

Was this article helpful?

Related Articles

Verify Connection & Troubleshooting

After configuring your device or router you can verify your configuration by visiting DNS Leak Test and running the standard test.

We provide a more in depth guide on Verifying and Debugging Connections.

Need Support?

Can't find the answer you're looking for?
Contact Support