I use Mac OS Sequoia 15.0.1 and I’m trying to capture DNS traffic using wireshark or tcpdump, but I can’t see any whatsoever and I don’t understand what Mac does differently here and why I can observe this traffic.
Initially I thought that the browsers used DoH or some kind of proxy even after making sure they’re disabled (Firefox/Chrome), but then I realised that pinging a domain also doesn’t result in any traffic being captured.
I’ve also tested this on an older Mac OS (13.6.9) and it seems to be behaving identically.
sudo tcpdump -i any -n port 53 -nnp
ping aol.com
If I try using dig or nslookup, it works as expected. So it’s clear to me that the browsers and ping use a different DNS path.
Any ideas why this happens and how the DNS requests are being sent?
What I also did was to make sure that “Private Wi-Fi Address” in the Wi-Fi section was turned off. At some point while doing this I also came across a request to “aol.com” in the packet capture, but I can’t tell for sure what happened and it’s quite hard to reproduce.
When I turn the Wi-Fi adapter off and on completely, all of a sudden I see all these DNS requests which correspond to my open browser tabs. So in that intermediary phase it seems to work as expected (i.e. I see the DNS traffic).
It might be the case that Apple actually simply ignores the user and does what it wants and still sends DNS requests over HTTPS to their server, but only when it makes sure that the DNS server is reachable (or something like that), but I can’t be 100% sure of that.