Manually Change DNS on a Mac (Terminal)
You can change the DNS on your Mac and lock your settings to prevent changes.https://www.youtube.com/embed/qHvQ7-tXDP4?feature=oembedVideo Shows you how to change DNS on a Mac via a Terminal
Changing The Mac DNS
Mac’s allow you to quickly change the DNS via the Settings->Network>Network Name>DNS screen.

This is approach is quick and easy, but sometimes we want to enforce some of the changes and prefer to do it via the terminal. This is especially helpful for individuals, organizations, doing this across multiple devices.
These tips require a basic understanding of the Mac terminal application, and are considered to be more advanced. You can also follow our step-by-step setup for Mac here.
This guide will show you how to use terminal to update your DNS nameservers, and how to make it where the user is unable to change them at will.
Networksetup + chflags
Macs come with the networksetup and the chflags command line (CLI) utilities. These utilities allow a user to configure the network and set files as immutable (i.e., unable to be changed).
That’s all you will use to change your devices DNS nameservers and prevent users from making changes.
1. Identify Your Interfaces
Identifying the interface you are working with is critical. It will tell you what is active, and what you are using.
Via your terminal application, run the networksetup utility with the list all network services option:
$ sudo networksetup -listallnetworkservices
This will give you a response that looks like this:
An asterisk (*) denotes that a network service is disabled.
USB ACM
Thunderbolt Ethernet Slot 1
USB 10/100/1000 LAN
USB 10/100/1000 LAN 2
Wi-Fi
Bluetooth PAN
Thunderbolt Bridge
More often than not, you will be using the “Wi-Fi” interface, that’s how you are connecting to the internet. This can change, depending on your local configuration.
2. Set Interface with DNS
In our instance, we are using the “Wi-Fi” interface so we can now use the networksetup utility with the set dns servers option:
sudo networksetup -setdnsservers Wi-Fi 185.228.168.168
That will force the Wi-Fi interface to use the CleanBrowsing DNS (e.g., 185.228.168.168 / Family Filter). If it works, you won’t get any warning or error in the terminal.
You can verify by opening the /etc/resolve.conf file. Something like this:
$ cat /etc/resolv.conf
Output would look like this:
$ cat /etc/resolv.conf
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
# scutil --dns
#
# SEE ALSO
# dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 185.228.168.168
3. Stop Changes to DNS Locally
The last step is to disallow changes to the DNS locally. You can do that by using a different utility. In this case, we’ll use chflags with the schg option.
MAC devices allow network changes to be made on this file:
/Library/Preferences/SystemConfiguration/preferences.plist
So to stop that, we have to make it immutable with chflags.
Via your terminal, you can run this command:
sudo chflags schg /Library/Preferences/SystemConfiguration/preferences.plist
That’s it.
With these 2 commands you will change the DNS servers and block anyone from making changes in the future. You can automate them on your deployment scripts to force all Macs to be configured the same way. You can also force the DNS on any interface you want (e.g., Ethernet).
Contents
Instructional Guides Categories
- Configure Mobile Devices (5)
- Debugging & Troubleshooting (9)
- Educational Articles (13)
- Gaming Platforms (3)
- Getting Started (7)
- How To Guides (37)
- Known Conflicts (2)
- Operating Systems (4)
- Paid Features Overview (17)
- Platform Domains (2)
- Routers & Network Devices (49)
- Tips and Tricks (4)
Verify Connection & Troubleshooting
After configuring your device or router you can verify your configuration by visiting DNS Leak Test and running the standard test.
We provide a more in depth guide on Verifying and Debugging Connections.