This setup allows you to block domains locally on macOS using dnsmasq and enforce it system-wide with a DNS configuration profile.
- Fast local DNS resolution with
dnsmasq - Easily block thousands of domains
- System-wide DNS routing to
127.0.0.1using a.mobileconfigprofile - Survives reboots via
launchctl - Works with Safari (even with preconnect/caching bypassed)
- macOS (tested on Ventura & Sequoia)
- Homebrew
bash
brew install dnsmasq
sudo mkdir -p /opt/homebrew/etc/
touch /opt/homebrew/etc/dnsmasq.conf
touch /opt/homebrew/etc/hosts-blocklist
listen-address=127.0.0.1
port=53
# Your blocklist of domains
addn-hosts=/opt/homebrew/etc/hosts-blocklist
# Fallback DNS
server=1.1.1.1
Example: /opt/homebrew/etc/hosts-blocklist
0.0.0.0 1bet.com
0.0.0.0 www.1bet.com
You can add as many domains as you want.
sudo /opt/homebrew/sbin/dnsmasq --test
Should return syntax check OK.
Save this as /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>homebrew.mxcl.dnsmasq</string>
<key>ProgramArguments</key>
<array>
<string>/opt/homebrew/sbin/dnsmasq</string>
<string>--keep-in-foreground</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>StandardErrorPath</key>
<string>/var/log/dnsmasq.log</string>
<key>StandardOutPath</key>
<string>/var/log/dnsmasq.log</string>
</dict>
</plist>
Fix permissions:
sudo chown root:wheel /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
sudo chmod 644 /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
Then enable:
sudo launchctl bootstrap system /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
Create a profile like local-dns.mobileconfig with this content:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadType</key>
<string>com.apple.dnsSettings.managed</string>
<key>PayloadIdentifier</key>
<string>com.yourorg.localdns</string>
<key>PayloadUUID</key>
<string>3A7D7D2A-DF60-4D0A-9153-AB59A2216F99</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadDisplayName</key>
<string>Local DNS Profile</string>
<key>DNSSettings</key>
<dict>
<key>DNS</key>
<dict>
<key>ServerAddresses</key>
<array>
<string>127.0.0.1</string>
</array>
</dict>
</dict>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Local DNS Enforcer</string>
<key>PayloadIdentifier</key>
<string>com.yourorg.localdnsprofile</string>
<key>PayloadRemovalDisallowed</key>
<false/>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>0CB59DB1-2916-4F29-89A6-CF3F6BEFC5C2</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
1. Copy it to your desktop.
2. Open System Settings β Privacy & Security β Profiles
3. Drag and drop the .mobileconfig file into the window.
4. Click Install
dig 1bet.com @127.0.0.1
Should return:
1bet.com. 0 IN A 0.0.0.0
Now check Safari or Firefox. If you still reach the site: β’ Disable iCloud Private Relay β’ In Firefox: disable βDNS over SOCKS5β β’ Clear all browser DNS/cache β’ Ensure scutil --dns shows only 127.0.0.1
You now have a fully local DNS blocker running at OS level.
sudo launchctl bootout system /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
sudo rm /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
sudo brew uninstall dnsmasq
Delete the configuration profile from System Settings β Profiles