Most content filters are easy to bypass. They're browser extensions, apps you can force-quit, or DNS settings you can change in 30 seconds. If you're looking for a truly robust solution, you need to lock down your system at the DNS level in a way that can't be impulsively changed.
This guide will show you how to set up dnsmasq, a powerful open-source DNS server, on your macOS device to act as an "allowlist" filter. When combined with proper user account security, this setup is incredibly difficult to bypass.
What is Dnsmasq?
Dnsmasq is a lightweight, open-source DNS forwarder. For our purposes, we'll configure it to be the *only* thing on your Mac that can look up website addresses. Here's how it works:
- Your computer will be set to use
127.0.0.1(itself) for all DNS. - Dnsmasq runs locally and intercepts every request.
- It first checks a local list of "safe" domains (our allowlist).
- If the domain (e.g.,
google.com) is on the Durvex Allowlist,dnsmasqforwards the request to a real, family-safe DNS server (like CleanBrowsing). - If the domain (e.g.,
badsitex.com) is not on the list,dnsmasqblocks it.
It's fast, efficient, and since it's open-source, it's completely transparent. You can find its official project page here.
The Core Concept: Real Enforcement
This entire setup is useless if you can just turn it off. The "enforcement" part doesn't come from dnsmasq itself, but from how you manage your Mac.
- Standard Account: Your everyday user account. This account must NOT have administrator privileges. This is critical. It prevents you from changing network settings or stopping
sudoservices. - Admin Account: A completely separate account on your Mac. This is the *only* account that can use
sudoand manage the system. - The "Lockbox": Do not memorize the admin account's password. Store it in a time-delayed lockbox. This can be a physical safe with a timer, or a digital service. This friction is the *real* filter; it makes it impossible to impulsively bypass the system.
Step-by-Step Installation & Setup
Log in to your Admin Account to perform these steps.
Step 1: Install Homebrew
Homebrew is a package manager for macOS. If you don't have it, open Terminal and run this command:
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
Step 2: Install Dnsmasq
With Homebrew installed, run:
brew install dnsmasq
Step 3: Get the Allowlist
We need to download the Durvex Allowlist in the correct format. We'll create a shared folder to store it.
First, create the folder:
sudo mkdir -p /etc/dnsmasq.lists
Now, download the list into that folder:
sudo curl -L "https://durvex.com/allowlist.php?format=dnsmasq" -o /etc/dnsmasq.lists/durvex-allowlist.conf
Step 4: Configure Dnsmasq
We need to edit the dnsmasq.conf file. The location depends on your Mac:
- Apple Silicon (M1/M2/M3):
/opt/homebrew/etc/dnsmasq.conf - Intel Macs:
/usr/local/etc/dnsmasq.conf
Open the file with a terminal editor (this example uses nano):
sudo nano /opt/homebrew/etc/dnsmasq.conf
Delete everything in that file and paste in the following configuration:
# Do not read /etc/resolv.conf no-resolv # Use CleanBrowsing as the upstream (safe) DNS server server=185.228.168.168 server=185.228.169.168 # Load our allowlist. # All other domains will be rejected. Be sure to add the rule address=/#/0.0.0.0 to the top of the file. conf-file=/etc/dnsmasq.lists/durvex-allowlist.conf
Save the file (in nano, press Ctrl+O, then Enter, then Ctrl+X to quit).
Step 5: Enforce Dnsmasq System-Wide
First, start dnsmasq as a background service that automatically runs on startup:
sudo brew services start dnsmasq
Finally, go to System Settings > Network. Click on your active connection (e.g., Wi-Fi) and then Details...
Go to the DNS tab. Delete any existing servers and add only 127.0.0.1. Click OK.
You're Done
That's it. Log out of your Admin account and log back into your Standard account. All DNS lookups on your Mac are now forced through dnsmasq. You will be unable to change the network settings or stop the dnsmasq service.
To make any changes, you now have to intentionally log into the Admin account, which requires the password from your lockbox. This friction is the barrier that makes the filter effective.