macOS DNS Lockdown

The macOS DNS Lockdown is a single-command installer that permanently locks your Mac's DNS settings to CleanBrowsing. Once installed, all DNS queries on your Mac are routed through CleanBrowsing's filtering servers — blocking access to adult content, malware, phishing, and other categories based on the filter you choose.

Unlike simply changing your DNS settings in System Settings (which anyone can reverse in seconds), the DNS Lockdown is designed to be persistent and tamper-resistant. It cannot be turned off by changing network settings, switching Wi-Fi networks, or toggling airplane mode. It works across all networks — home, office, coffee shop, hotel, cellular hotspot — everywhere.

This tool was built for people who want a real barrier between themselves and harmful content. Whether you are a parent locking down a child's computer or an adult who wants accountability for yourself, the lockdown provides a level of protection that casual DNS changes and browser extensions cannot match.

Every time your Mac connects to a website, it first performs a DNS lookup — translating the domain name (like example.com) into an IP address. Normally, your Mac uses whatever DNS server your router or network provides. The macOS DNS Lockdown overrides this at the system level, ensuring that every DNS lookup goes through CleanBrowsing regardless of the network you are connected to.

The lockdown operates through two complementary protection layers that work together:

• Encrypted DNS (Primary): A system-wide DNS-over-HTTPS (DoH) configuration profile is installed on your Mac. This encrypts all DNS queries and sends them directly to CleanBrowsing over HTTPS (port 443). Because the traffic is encrypted, it cannot be intercepted or tampered with by the network you are on.
• Plaintext DNS Enforcement (Fallback): A background service monitors your Mac's DNS settings every 60 seconds and whenever a network change is detected. If anyone or anything changes your DNS settings, the service automatically resets them to CleanBrowsing within seconds.

These two layers ensure continuous protection. The encrypted DNS profile handles the primary filtering, while the background enforcement acts as a safety net in case the profile is ever interrupted.

Layer 1: DNS-over-HTTPS Profile

The installer generates a .mobileconfig profile — the same format Apple uses for enterprise device management — and installs it at the system level. This profile configures your Mac to use DNS-over-HTTPS (DoH) for all DNS resolution. The benefits of this approach include:

• All DNS queries are encrypted — your ISP and network operator cannot see or intercept your DNS traffic.
• The profile is system-wide — it applies to every application, every browser, and every network connection on your Mac.
• The profile includes captive portal exceptions so hotel and airport Wi-Fi login pages still work normally.
• Standard (non-admin) user accounts cannot remove the profile.
• The profile includes plaintext DNS fallback addresses pointing to CleanBrowsing. If macOS ever falls back from DoH (e.g., during a network transition), it uses our plaintext DNS instead of your ISP's — so your blocks remain active even during failover.

Layer 2: DNS Enforcement Daemon

The second layer is a macOS LaunchDaemon — a background service that runs as root. It performs two functions:

• Periodic check (every 60 seconds): The daemon reads the configured DNS servers for every network interface (Wi-Fi, Ethernet, etc.) and compares them against CleanBrowsing's expected IP addresses. If they do not match, the daemon resets them immediately.
• Network change trigger: The daemon also watches /etc/resolv.conf for changes. When you connect to a new network (or your DHCP lease renews), this file changes — triggering the daemon to verify and enforce DNS settings in real time, not just on the 60-second interval.

Together, these two layers mean that even if something disrupts the DoH profile temporarily, the plaintext DNS enforcement catches it and keeps your Mac pointed at CleanBrowsing.

Installation takes about 30 seconds. Open Terminal on your Mac (Applications > Utilities > Terminal) and run the following command:

You will be prompted for your Mac administrator password (this is required because the installer configures system-level services). Then you will choose a filter:

• Family Filter — Blocks adult content, mixed content, malware, and phishing. Forces SafeSearch on Google, Bing, and YouTube.
• Adult Filter — Blocks adult content, malware, and phishing. Does not block mixed content sites or force SafeSearch.
• Paid Account — Uses your CleanBrowsing Custom Code to auto-configure with your personalized filter settings. Supports 21+ configurable categories, per-device analytics, and custom policies.

For paid accounts, you will need your Custom Code from the CleanBrowsing Dashboard. The installer fetches your DNS settings and DoH URL automatically.

The installer handles everything: it generates the DoH profile, installs it, sets up the enforcement daemon, configures DNS on all network interfaces, and starts the background services. No additional configuration is needed.

Once installed, the lockdown works silently in the background. You will not see any icons, notifications, or indicators. It simply works. Here is what happens under the hood:

• All DNS queries from your Mac are encrypted and sent to CleanBrowsing via DoH.
• Every 60 seconds (and on every network change), the enforcement daemon checks that DNS settings have not been altered. If they have, it resets them within seconds.
• If you have a paid account, your public IP is automatically registered with CleanBrowsing every 5 minutes so your custom filtering rules always apply, even if your IP address changes.

Switching Wi-Fi networks, connecting to a VPN, or restarting your Mac does not affect the lockdown. The daemon starts automatically at boot and the DoH profile is persistent across restarts.

Activity is logged to /var/log/cleanbrowsing-dns.log. The log records enforcement actions (when DNS was reset), IP registration events (for paid accounts), and any errors. You can review this log to confirm the lockdown is working.

During installation, the lockdown automatically detects your Mac's computer name (e.g., "Tony's MacBook Pro") and appends it to the DoH URL. This means every DNS query your Mac makes is tagged with the device name, allowing you to identify it in your CleanBrowsing dashboard and logs.

For example, if your Mac's name is "Office iMac" and you chose the Family Filter, the DoH URL would be:

This is especially useful for paid accounts where you may have multiple devices on your network. You can see exactly which device made each DNS query, making it easier to monitor activity and troubleshoot filter behavior per device.

The computer name is pulled automatically — you do not need to enter it manually. It uses the name set in System Settings > General > About > Name.

The filter you choose determines what types of content are blocked. Here is a comparison:

For adults managing a personal addiction, the Family Filter provides the strongest out-of-the-box protection because it blocks mixed content sites (platforms that host both safe and unsafe material) and forces SafeSearch. The Paid / Custom option provides the same protection plus the ability to block additional categories (social media, gaming, streaming, etc.) and view detailed activity logs.

See our detailed Free vs Paid comparison for more on what each plan includes.

After installation, you can verify the lockdown is working with a few simple checks.

Check the DoH Profile

Open Terminal and run:

You should see the CleanBrowsing DoH profile listed.

Check Plaintext DNS Settings

This should return CleanBrowsing's DNS IPs (e.g., 185.228.168.168 and 185.228.169.168 for the Family Filter).

Check the Enforcement Daemon

You should see com.cleanbrowsing.dnsenforce listed (and com.cleanbrowsing.dynip for paid accounts).

View the Log

The log shows enforcement events, IP registration (paid accounts), and any errors. Each entry is timestamped.

Test Filtering

Visit cleanbrowsing.org/dnsleaktest to confirm your DNS queries are going through CleanBrowsing. You can also try accessing a site you expect to be blocked — you should see CleanBrowsing's block page instead.

The DNS Lockdown provides strong protection on its own, but the following practices will make it even harder to bypass:

• Use a Standard (non-admin) account for daily use. This is the single most important step. If the daily-use account is a Standard account, the user cannot run sudo commands, cannot install or remove system profiles, and cannot modify LaunchDaemons. The lockdown becomes effectively permanent. Create a separate admin account for system maintenance and give the daily-use account Standard privileges (System Settings > Users & Groups > uncheck "Allow this user to administer this computer").
• Have someone else set the admin password. If you are installing this for yourself to manage an addiction, have a trusted friend, spouse, or accountability partner set the admin account password. This removes the temptation to temporarily unlock the system. You keep the Standard account for daily use — you can still install apps, use your Mac normally — but you cannot modify system-level protections.
• Disable Terminal access for the Standard account. You can use macOS Parental Controls (Screen Time > Content & Privacy) to restrict access to Terminal and other command-line tools on the Standard account.
• Block VPN apps. VPNs can tunnel traffic around DNS filtering. If you have a paid CleanBrowsing account, you can block VPN protocols at the DNS level. You can also use Screen Time to restrict VPN app installation.
• Disable DNS-over-HTTPS in browsers. Some browsers (Firefox, Chrome, Edge) have their own built-in DoH settings that can override system DNS. See our guide on how to disable browser DoH to prevent this bypass.

The macOS DNS Lockdown is designed to be difficult to remove on purpose. This is a deliberate feature, not a limitation — it provides the accountability barrier that makes the tool effective.

If you need to remove the lockdown (for example, if you are decommissioning the Mac or transferring it to a new owner), you must contact CleanBrowsing support to request a removal code:

• Email support@cleanbrowsing.org and request a removal code.
• Once you have the code, run the installer script again and select Option 4 (Uninstall).
• Enter the removal code when prompted.

This process is intentionally manual. The goal is to create a meaningful barrier so that removing the filter is not an impulsive decision but a deliberate, considered action. For parents and accountability partners, this also means the person using the Mac cannot uninstall the protection on their own.