You can change the DNS on your Mac and lock your settings to prevent changes.https://www.youtube.com/embed/qHvQ7-tXDP4?feature=oembedVideo Shows you how to change DNS on a Mac via a Terminal

Changing The Mac DNS

Mac’s allow you to quickly change the DNS via the Settings->Network>Network Name>DNS screen.

This is approach is quick and easy, but sometimes we want to enforce some of the changes and prefer to do it via the terminal. This is especially helpful for individuals, organizations, doing this across multiple devices.

These tips require a basic understanding of the Mac terminal application, and are considered to be more advanced. You can also follow our step-by-step setup for Mac here.

This guide will show you how to use terminal to update your DNS nameservers, and how to make it where the user is unable to change them at will.

Networksetup + chflags

Macs come with the networksetup and the chflags command line (CLI) utilities. These utilities allow a user to configure the network and set files as immutable (i.e., unable to be changed).

That’s all you will use to change your devices DNS nameservers and prevent users from making changes.

1. Identify Your Interfaces

Identifying the interface you are working with is critical. It will tell you what is active, and what you are using.

Via your terminal application, run the networksetup utility with the list all network services option:

$ sudo networksetup -listallnetworkservices

This will give you a response that looks like this:

An asterisk (*) denotes that a network service is disabled.
USB ACM
Thunderbolt Ethernet Slot 1
USB 10/100/1000 LAN
USB 10/100/1000 LAN 2
Wi-Fi
Bluetooth PAN
Thunderbolt Bridge

More often than not, you will be using the “Wi-Fi” interface, that’s how you are connecting to the internet. This can change, depending on your local configuration.

2. Set Interface with DNS

In our instance, we are using the “Wi-Fi” interface so we can now use the networksetup utility with the set dns servers option:

sudo networksetup -setdnsservers Wi-Fi 185.228.168.168

That will force the Wi-Fi interface to use the CleanBrowsing DNS (e.g., 185.228.168.168 / Family Filter). If it works, you won’t get any warning or error in the terminal.

You can verify by opening the /etc/resolve.conf file. Something like this:

$ cat /etc/resolv.conf 

Output would look like this:

$ cat /etc/resolv.conf 
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 185.228.168.168

3. Stop Changes to DNS Locally

The last step is to disallow changes to the DNS locally. You can do that by using a different utility. In this case, we’ll use chflags with the schg option.

MAC devices allow network changes to be made on this file:

/Library/Preferences/SystemConfiguration/preferences.plist 

So to stop that, we have to make it immutable with chflags.

Via your terminal, you can run this command:

sudo chflags schg /Library/Preferences/SystemConfiguration/preferences.plist

That’s it.

With these 2 commands you will change the DNS servers and block anyone from making changes in the future. You can automate them on your deployment scripts to force all Macs to be configured the same way. You can also force the DNS on any interface you want (e.g., Ethernet).