Skip to main content
Protect My Mac — FreeNo credit card required
Privacy7 min read

How to Change DNS Settings on Mac for Better Privacy

Hassanain

I never really thought much about DNS settings until I realized my internet provider could see every single website I visited. That was an uncomfortable moment — like finding out someone's been reading over your shoulder for years without you noticing.

DNS, or Domain Name System, is basically the phone book of the internet. When you type "github.com" into your browser, your Mac asks a DNS server "hey, what's the IP address for github.com?" The server responds with something like "140.82.112.3" and your Mac connects to that address. Simple enough, right?

Here's where it gets interesting for privacy though. By default, your Mac uses your internet provider's DNS servers, and they can see every domain you look up. They can't see what you do on those sites if they use HTTPS (which most do these days), but they can see that you visited reddit.com, followed by github.com, then maybe some-embarrassing-domain.com. That's actually a lot of information about your browsing habits.

The good news? Changing your mac dns settings privacy configuration is pretty straightforward, and it can significantly reduce how much information you're leaking.

What DNS Servers Can Actually See

Let me be clear about what we're protecting against here. Your DNS provider can see:

  • Every domain you visit (reddit.com, github.com, whatever)
  • When you visit them
  • How often you visit them
  • Your IP address (which roughly identifies your location)

They can't see the specific pages you visit or what you do on those sites. So they know you went to reddit.com, but not which subreddit or which posts you read.

Is this a huge privacy risk? Honestly, it depends on your threat model. For most people, it's probably not the end of the world. But if you're already thinking about privacy (which you are, since you're reading this), DNS is one of those easy wins that costs you nothing and adds a meaningful layer of protection.

Finding Your Current DNS Settings

Before we change anything, let's see what you're currently using. Open Terminal and run:

scutil --dns | grep nameserver

You'll see something like this:

nameserver[0] : 192.168.1.1
nameserver[1] : 8.8.8.8

Those first numbers (192.168.1.1) are probably your router, which forwards requests to your ISP's DNS servers. The second might be Google's public DNS if someone already changed your settings.

You can also check in System Settings, but the command line gives you a clearer picture of what's actually happening.

Privacy-Focused DNS Providers

There are several DNS providers that explicitly don't log your queries or sell your data. The two I'd recommend are Cloudflare and Quad9.

Cloudflare (1.1.1.1)

Cloudflare's DNS service is fast and they have a pretty clear privacy policy. They claim to delete query logs within 24 hours and they don't correlate queries with IP addresses for tracking. Their primary DNS is 1.1.1.1 and secondary is 1.0.0.1.

Quad9 (9.9.9.9)

Quad9 is a bit different — they don't log your IP address at all, and they actively block known malicious domains. So you get privacy plus some basic security filtering. Their primary is 9.9.9.9 and secondary is 149.112.112.112.

I've been using Cloudflare on most of my devices for the past couple years. The performance is solid, and honestly, I trust their privacy stance more than I trust my ISP's. Your mileage may vary depending on which ISP you have.

Changing DNS in System Settings

Here's how to change your mac dns settings privacy configuration through the GUI. Go to System Settings > Network > Wi-Fi > Details (or Details for whatever connection you're using). Click on the DNS tab.

You'll see a list that probably shows your router's IP address. Click the + button and add your preferred DNS servers:

For Cloudflare:

  • 1.1.1.1
  • 1.0.0.1

For Quad9:

  • 9.9.9.9
  • 149.112.112.112

Make sure to remove the old entries by selecting them and clicking the - button. The order matters here — your Mac will try the first server, then fall back to the second if the first doesn't respond.

Configuring DNS via Terminal

If you prefer the command line (and honestly, sometimes it's just faster), you can configure DNS using networksetup. First, list your network services:

networksetup -listallnetworkservices

You'll see something like "Wi-Fi" or "Ethernet". Then set your DNS servers:

networksetup -setdnsservers "Wi-Fi" 1.1.1.1 1.0.0.1

Replace "Wi-Fi" with whatever network service you're using. To verify it worked:

networksetup -getdnsservers "Wi-Fi"

DNS over HTTPS (DoH)

Here's where things get more interesting. Traditional DNS queries are sent in plain text, which means anyone between you and the DNS server can see them. Your ISP, your coffee shop's WiFi owner, whoever.

DNS over HTTPS encrypts your DNS queries, which is obviously better for privacy. The catch? macOS doesn't have built-in DoH support in System Settings. You need a third-party tool or browser configuration.

Some browsers like Firefox and Chrome can be configured to use DoH directly. In Firefox, go to Settings > General > Network Settings > Settings, then check "Enable DNS over HTTPS" and pick a provider.

For system-wide DoH, you'd need something like Cloudflared (Cloudflare's daemon) or DNSCrypt-proxy. These require a bit more setup, but they encrypt all DNS traffic from your Mac.

To be honest, configuring system-wide DoH is probably overkill for most people. If you're using privacy-focused DNS servers and browsing mostly HTTPS sites, you're already in pretty good shape.

Testing Your New DNS Configuration

After changing your DNS servers, you'll want to verify everything's working. Try this:

nslookup google.com

You should see your new DNS server listed in the response. You can also use online tools like dnsleaktest.com to confirm your DNS queries are going where you think they are.

I've seen cases where macOS caches the old DNS settings for a while. If you're still seeing your old DNS servers in tests, try flushing the DNS cache:

sudo dscacheutil -flushcache

Per-App DNS Settings

Here's something most people don't know: some apps handle DNS differently. Apps with extensive network permissions might use their own DNS resolution or ignore your system settings entirely.

This is actually one of those privacy gaps I was talking about earlier. You can configure your system DNS perfectly, but if an app decides to use its own DNS-over-HTTPS to Google or Cloudflare, your system settings won't apply.

There's not much you can do about this without more advanced network monitoring. Tools like Little Snitch can show you what DNS queries apps are making, but that's getting into pretty advanced territory.

Router vs. Device DNS Settings

Quick note about where to configure DNS. You can set it on your router (affecting all devices on your network) or on individual devices like your Mac.

I prefer setting it on the router because it covers everything — your Mac, your phone, smart home devices, whatever. But if you don't control your router (like at work or on public Wi-Fi), device-level settings are your only option.

Router configuration varies by manufacturer, but it's usually under "Internet" or "WAN" settings. Look for "DNS Server" or "Domain Name Server" options.

Mobile Considerations

If you're thinking about privacy holistically, don't forget about your iPhone or iPad. iOS has similar DNS settings under Settings > Wi-Fi > [network name] > Configure DNS.

You can also use DNS profiles that configure multiple networks at once. Cloudflare and Quad9 both provide configuration profiles you can download and install.

Limitations and Honest Caveats

Let me be straight about what changing DNS doesn't do. It doesn't hide your browsing from your ISP if sites use plain HTTP (though most don't anymore). It doesn't protect you from tracking cookies, fingerprinting, or any of the other ways websites identify you.

It's also worth noting that you're essentially moving trust from your ISP to another company. Cloudflare and Quad9 have good privacy policies, but you're still trusting them with information about your browsing habits.

If you're on a corporate network, changing DNS might break internal services that depend on your company's DNS servers. In some cases, it might even violate IT policies.

And honestly? If you're worried enough about privacy to change DNS settings, you should probably also be thinking about which apps have access to your data and what they're doing with it. DNS is just one piece of a much larger privacy puzzle.

Performance Considerations

Different DNS providers have different performance characteristics. Cloudflare is generally very fast because they have servers all over the world. Quad9 might be slightly slower in some regions but offers the malware blocking feature.

You can test DNS performance with tools like namebench or just by browsing normally and seeing if pages load quickly. If you notice slowdowns after changing DNS, try a different provider or go back to your ISP's servers.

In my experience, both Cloudflare and Quad9 are faster than most ISP DNS servers, but your results might vary depending on your location and ISP.

Monitoring Your DNS Configuration

Once you've configured privacy-focused DNS, you might want to monitor that it stays configured correctly. I've seen macOS revert DNS settings after software updates or when connecting to certain networks.

This is actually one of the things we built CoreLock to handle — monitoring system configuration changes that might affect your privacy. It's not just about app permissions; it's about making sure your privacy settings stay the way you configured them.

The command line approach I showed earlier (networksetup -getdnsservers) is perfect for checking your configuration periodically. You could even set up a simple script to alert you if your DNS servers change unexpectedly.

Changing your mac dns settings privacy configuration is one of those simple changes that meaningfully improves your privacy posture without much effort. It's not going to make you invisible online, but it does reduce the amount of information you're sharing with your ISP and potentially improves your security if you choose a provider like Quad9 that blocks malicious domains.

The setup takes maybe five minutes, and once it's done, you don't really need to think about it again. That's my kind of privacy improvement — effective and low-maintenance.

Related Articles

Privacy

Is Your Mac Sending Data to Apple? What We Actually Know

7 min read
Privacy

Is Your Mac Sending Data Without Your Permission?

8 min read
Privacy

Full Disk Access on Mac: Which Apps Should Have It (And Which Shouldn't)

7 min read

Ready to try CoreLock?

Free to download. No credit card required.

Download CoreLock Free
Back to all posts