User profile for user: michael.h21
michael.h21 Author
User level: Level 1
14 points

Override router provided DNS settings?

I would like to specify two default DNS servers that always take priority over the ones assigned to me by the router on whatever network I connect to.

User uploaded file

This appears under my AirPort settings. As I understand it, the gray entries are provided to me by my router. (This changes to 10.1.1.5 when I am at school.) The black entries are self defined, but due to my inability to drag them ABOVE the gray entires, I am under the impression that I am unable to override the default DNS server for whichever network I am currently connected to.

Is my "problem" just a failure to understand how networking in OS X works? In any case, I do NOT want to use the DNS servers assigned to me. I ALWAYS want to use OpenDNS. Is there any way I can do this?

Thanks

Mac Pro (Early 2008), Macbook Air, Mac OS X (10.5.5), All pertinent updates and patches applied

Posted on Oct 22, 2008 1:25 PM

Reply
8 replies
User profile for user: BobHarris
BobHarris
User level: Level 9
56,933 points

Oct 22, 2008 2:44 PM in response to michael.h21

Look in /etc/resolv.conf

The order that the DNS addresses are specified in /etc/resolv.conf is the order that they are searched. Only the first 3 are searched.

It has been my experience that when I add DNS servers via System Preferences -> Network, my entries get listed first in /etc/resolv.conf.

NOTE: If you update /etc/resolv.conf, this will only last until the next time the networking software updates them, which might be the next time you get a DHCP addresses and the router provides its DNS servers.
Reply
User profile for user: LarryHN
LarryHN
User level: Level 10
106,142 points

Oct 22, 2008 2:57 PM in response to michael.h21

1 - the DNS servers assigned to you by the router are the Open DNS servers and are identical to the ones you put in yourself

As a general answer log into your router administration page and tell the router to use open DNS servers (208.67.222.222 & 208.67.220.220) and every one using that router will use those DNS servers

I'm at the office on a PC right now so can not look but I believe that the order is bottom up on the list you showed - check and see

LN

Message was edited by: LarryHN
Reply
User profile for user: direwolf8
direwolf8
User level: Level 4
1,286 points

Oct 22, 2008 2:57 PM in response to michael.h21

There's really a security issue here. Arguably, nobody should be able to override the settings passed via DHCP because those settings presumably are best for your network. Your network administrator might use DNS to block or redirect some addresses, or provide inside "local" addresses (ie: 192.168.x.x) that your outside DNS server doesn't supply, so the wrong DNS server will break things. A malicious DNS server entry can direct your traffic somewhere entirely unexpected and be a major security hole.

Of course the most obvious solution is to manually set up the network port and put in whatever servers you want. We lock down the machines on our network to prevent that for the reasons above.
Reply
User profile for user: Dogcow-Moof
Dogcow-Moof
User level: Level 8
36,833 points

Oct 22, 2008 3:27 PM in response to direwolf8

direwolf8 wrote:
There's really a security issue here. Arguably, nobody should be able to override the settings passed via DHCP because those settings presumably are best for your network. Your network administrator might use DNS to block or redirect some addresses, or provide inside "local" addresses (ie: 192.168.x.x) that your outside DNS server doesn't supply, so the wrong DNS server will break things. A malicious DNS server entry can direct your traffic somewhere entirely unexpected and be a major security hole.


True, but it should be the responsibility of your network's administrator to block such things.

Users can specify any DNS server they want, it's up to your network admin to block port 53 to other sites.

That having been said, you can simply add your own DNS servers to your Network preference pane's DNS sheet; manually specified DNS servers override any provided by your router via DHCP, despite the fact that they appear above the addresses you specify in the preference pane (though in grey.)
Reply
User profile for user: michael.h21
michael.h21 Author
User level: Level 1
14 points

Oct 22, 2008 3:47 PM in response to direwolf8

Security issue? Doubtful. Assuming I know what a DNS server is, and assuming I want to subvert a slow DNS server at my school, I should be able to do whatever I want.

If you have people using these machines in an unsecured environment, maybe you should set them up with a standard (non-admin) user account. Authentication will be required to change any Network settings.

Your network administrator might use DNS to block or redirect some addresses, or provide inside "local" addresses (ie: 192.168.x.x) that your outside DNS server doesn't supply


192.168.x.x is ALWAYS a local address. This cannot be changed or subverted through DNS. In fact, 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and 192.168.0.0 – 192.168.255.255 are always private addresses.
Reply
User profile for user: michael.h21
michael.h21 Author
User level: Level 1
14 points

Oct 22, 2008 3:46 PM in response to BobHarris

Thanks. I think the main problem here is confusing UI design. On Windows, (forgive me) it's very simple to specify a user-defined DNS server.

When I have 10.1.1.5 (school DNS) in gray at the top, and my OpenDNS entries in black at the bottom, the assumption is that since the entries within the field are draggable, the system will try the addresses at the top first. This appears to the end user that the system is using the DHCP defined DNS addresses as default instead of the user-defined DNS, since nothing can be dragged above the DHCP defined DNS. There is no clear way to tell OS X that I want to use only my custom DNS entries.

Hopefully this will be fixed in Snow Leopard 🙂
Reply
User profile for user: BobHarris
BobHarris
User level: Level 9
56,933 points

Oct 22, 2008 5:03 PM in response to michael.h21

There is no clear way to tell OS X that I want to use only my custom DNS entries.

Generally speaking the 1st DNS entry is the most important, as it is generally 30 seconds before DNS times out and tries the 2nd entry.

So as long as your entries are at the top of the /etc/resolv.conf list, you are golden. It really doesn't matter what the other entries are as long as your first entry works.

In addition the DNS resolver really only tries the first 3 entries, so if you want to starve out the DHCP provided enries, just make sure you provide at least 3 of your own, even if you duplicate entries.
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Override router provided DNS settings?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up