MacOS hijacks the DNS settings?!

[bread]

Hi,
I have some hardware within my network, which is working fine with adguard... BUT the fu... Mac don't want to do this.
I set the DNS for the network connection and it just ignores it in some kind of strange way. I see some connections of the Mac within adguard, but it doesn't block for example facebook (all other machines get blocked!). I see even no connection to facebook from the Mac, BUT I see some to dns10.quad9! So MacOS seems to highjack the DNS settings and just use some own DNS setting. AND I find no setting for that within MacOS.

I know, the best solution would be just to through the Mac out of the window, but this is not an option in that case. I need it for some special tasks.

Are there some solutions for that kind of problem? I suppose just blocking quad would be no solution, for I suppose MacOS has set several own DNS entries.

cheers
bread

[Patrick M. Hausen]

"Private browsing" at work.

What I do to (mostly) prevent any mechanism like this - Apple is not alone - is this:

- deploy AdGuard Home - check
- give client devices AGH as their resolver via DHCP - check
- now block all outbound DNS and DoT requests that are not directed at AGH on my OPNsense [1]
- and last add HaGeZi's Encrypted DNS/VPN/TOR/Proxy Bypass list to AGH - that mostly blocks DoH

[1]

Floating rule:

Action: block
Protocol: TCP/UDP
Source: any
Destination: ! This Firewall
Destination port: 53 and 853 (create an alias for that so it fits in one rule)

Done.

You will find lots of blocked requests for e.g.

- mask.icloud.com
- mask-h2.icloud.com
- ...

in your AGH dashboard afterwards.

HTH,
Patrick

[bread]

I had this workaround within my ipfire access point for some other reasons. Sure, this would be the solution, thanks!

I suppose, I need the floating rule for each interface within I use such f... devices. So one for LAN and one for WLAN in my case.

[Patrick M. Hausen]

Floating means exactly for all interfaces - that's the point. You *can* limit the interfaces in the rule, but then why not just place the rules directly on the interfaces instead of using a floating one?

Why would you permit any device to query outside DNS servers? If I need to debug things I can SSH directly to my OPNsense and use "drill" there.

[bread]

ah, so I just select no interface for this rule?

The strange behaviour from MacOS now is that the request from my MacOS to the facebook.com is shown as blocked within adguard, but I can still reach it within Mac :D

I tested the rule and it works, but as it seems, not for MacOS

[Patrick M. Hausen]

ah, so I just select no interface for this rule?

Yes - that implies global application of the rule.

The strange behaviour from MacOS now is that the request from my MacOS to the facebook.com is shown as blocked within adguard, but I can still reach it within Mac :D

I tested the rule and it works, but as it seems, not for MacOS

Cache?

Also the "outside DNS block" only works if you also activate the DoH block list in AGH - see my first post.

[bread]

ah, now it seems to work!
I suppose it was some cache.

Thanks!

But I'm still wondering about the Mac behaviour, not really wondering, because surely it doesn't like to use DNS blockers, but it's rather bold just to make some DNS settings, that you can not reach as user!

Interesting that the MacOS wants to contact avast.com all the time (I have no avast installed!)... avast and quad, all the time.

[Patrick M. Hausen]

Go to System Settings, click on your name at the top in the left menu bar, click on iCloud, look for "Privacy Relay", disable.

[verfluchten]

Things to remember are to block all ports 53 and 853 from the LAN that do not target the LAN iface on which the local DNS runs, so that nothing and nobody from the LAN could use external DNS servers over DNS or secure DNS. But then there is HTTP DNS backdoor, for which it is only possible to block specific sites that the violating devices try to leverage.