I use a Pihole on my network to provide local DNS service to block ads and various websites. I've noticed recently (maybe since Mojave) that Safari seems to bypass this. The Pihole device also functions as my DHCP server, and is configured to broadcast to clients that they should use its IP as the DNS server.
- Running
nslookupfrom the console indicates that the OS knows that the Pihole's IP is its DNS server. - Looking up known advertising domains via nslookup properly returns the Pihole's IP address (indicating that an ad coming from there would be blocked).
- In the Network preferences pane, under DNS for the network interface, the Pihole's IP address is shown under DNS Servers.
- Other web browsers (Chrome & Firefox) on the same MacBook Pro do not display the ads that Safari displays.
- I have outbound port 53 blocked at my router for any device but the Pihole – switching
nslookup's server to8.8.8.8(Google DNS) results in a connection timeout (which I'd expect with the outbound port blocked). - No other device on my network exhibits this behavior – including iOS devices.
networksetup -getdnsservers Wi-Fi reports "There aren't any DNS Servers set on Wi-Fi." If I manually set it via networksetup -setdnsservers Wi-Fi 192.168.1.22 the situation gets better but Safari's behavior still doesn't match Chrome's. And that's not really a viable solution long-term as I'll have to unset it every time I leave my home network.
Does Safari have some other means of doing DNS lookups that's hidden? How could it be bypassing DNS settings?
Best Answer
It sounds like you've done a pretty good job of covering all of your bases... as far as IPv4 is concerned. Maybe it's IPv6 that's causing you headaches? I believe that disabling IPv6 on the connection will fix the problem. IIRC IPv6 can autoconfigure itself without DHCP. If the rest of your network works with IPv6 then the queries could still be working over IPv6.