Chrome & Edge Don't Work with macOS DNS Profiles

Chromium-based browsers (Chrome, Edge, Brave) may ignore DNS settings deployed via .mobileconfig profiles on macOS. Here's why and how to fix it.

Step 1: The Problem

You've deployed CleanBrowsing DNS via a .mobileconfig profile on macOS (either manually or through an MDM like JAMF or Mosyle). Safari and other native apps respect the DNS settings and filtering works correctly.

However, Google Chrome and Microsoft Edge (and other Chromium-based browsers like Brave) seem to bypass the DNS profile entirely. Sites that should be blocked load normally in these browsers.

Step 2: Why It Happens

Chromium-based browsers have a built-in feature called Secure DNS (also known as DNS-over-HTTPS or DoH). When enabled, the browser sends DNS queries directly to a provider like Google or Cloudflare, bypassing the system DNS settings — including your .mobileconfig profile.

This is a privacy feature designed to encrypt DNS queries, but it has the side effect of overriding any DNS filtering configured at the system level.

Key points:

  • Safari uses the system DNS resolver and respects .mobileconfig profiles
  • Chrome/Edge use their own DNS resolver by default (Secure DNS)
  • The browser's Secure DNS takes priority over macOS system DNS settings

Step 3: Fix — Disable Secure DNS in Chrome

Manual (per-user)

  1. Open Chrome and go to chrome://settings/security
  2. Scroll to "Use secure DNS"
  3. Toggle it off

Alternatively, you can set it to use "With: Custom" and enter CleanBrowsing's DoH URL:

https://doh.cleanbrowsing.org/doh/family-filter/

Via Command Line (macOS)

defaults write com.google.Chrome DnsOverHttpsMode "off"

For a comprehensive guide on hardening Chrome policies, see How to Secure Google Chrome.

Step 4: Fix — Disable Secure DNS in Edge

Manual (per-user)

  1. Open Edge and go to edge://settings/privacy
  2. Scroll to "Use secure DNS"
  3. Toggle it off, or set it to use CleanBrowsing's DoH URL

Via Command Line (macOS)

defaults write com.microsoft.Edge DnsOverHttpsMode "off"

For more Edge hardening options, see How to Harden Microsoft Edge.

Step 5: Fix — Enterprise Policy (MDM)

If you're deploying CleanBrowsing via MDM (JAMF, Mosyle, Intune), you should also deploy a Chrome/Edge policy profile that disables Secure DNS or points it to CleanBrowsing.

Chrome Managed Policy (plist)

Create a .mobileconfig or plist with:

<key>DnsOverHttpsMode</key>
<string>off</string>

Or to force CleanBrowsing DoH:

<key>DnsOverHttpsMode</key>
<string>forced</string>
<key>DnsOverHttpsTemplates</key>
<string>https://doh.cleanbrowsing.org/doh/family-filter/</string>

Google Workspace Admin Console

If you manage Chrome browsers via Google Workspace, you can set the DNS-over-HTTPS policy from the admin console. See Configure DoH via Google Workspace.

JAMF / Mosyle

For MDM deployment guides, see:

Step 6: Verify It's Working

After disabling Secure DNS, verify that Chrome/Edge is now using CleanBrowsing:

  1. Open Chrome or Edge
  2. Visit lookup.cleanbrowsing.org
  3. Confirm it shows your CleanBrowsing filter is active

You can also test by trying to access a domain that should be blocked by your filter. If the block page appears in Chrome/Edge, the fix is working.

For more verification methods, see How to Check If Your Browser Is Using Secure DNS.

Related Guides

Harden Google Chrome

Disable Secure DNS and enforce browser security policies.

Configure DNS on macOS

Set up CleanBrowsing on macOS using system preferences or profiles.

Check Browser Secure DNS

Verify whether your browser is using encrypted DNS and which provider.