In this article

DNSFilter transitioned from loopback-based DNS filtering to Apple-supported System Extensions to align with macOS network security changes. As Apple began phasing out unsupported interception methods in macOS 11 and beyond, this shift ensured continued compatibility, improved performance, and long-term support across modern mac environments.

The legacy approach: Loopback

The original Roaming Client (1.x) used a loopback interface to intercept and filter DNS traffic. This involved redirecting DNS requests to 127.0.0.1, where the agent could inspect and enforce policies.

While effective for many years, this approach relied on undocumented and unsupported behaviors in macOS networking.

Apple began deprecating and restricting loopback interception methods starting with macOS 11 Big Sur, released in November 2020, introducing security controls that made this technique fragile and unreliable.

Here’s what happened:

macOS 11 Big Sur introduced significant changes to system security and networking, including:

• Enhanced System Integrity Protection (SIP)
• Increased enforcement of signed and notarized system extensions
• Early limitations on legacy methods like redirecting traffic to 127.0.0.1 (loopback)

These restrictions became stricter with each subsequent release, particularly:

• macOS 12 Monterey (2021): tightened enforcement of DNS resolution paths
• macOS 13 Ventura (2022): further reduced support for non-System Extension-based network interception, often breaking loopback-based filtering under some conditions

So while loopback may have appeared to work intermittently past Big Sur, Apple has made it clear that the Network Extension and System Extension frameworks are the only supported methods going forward.

The Apple-compliant approach: System Extension

The updated Roaming Client (2.x) uses a System Extension with a Network Extension framework—Apple's officially supported method for intercepting and filtering network traffic.

Instead of rerouting traffic to localhost, the agent now uses Apple’s API hooks to observe and manage DNS requests and responses at the system level. This ensures greater stability, better performance, and continued compatibility with current and future versions of macOS.

Why we moved to Apple's Standard:

• Security & Compatibility. Apple’s platform changes are making older, unofficial techniques unreliable or blocked entirely. Using the supported System Extension approach ensures long-term operability
• Performance Improvements. Avoiding traffic redirection reduces overhead and minimizes risk of interference or DNS resolution issues
• User Transparency & Control. System Extensions allow for clear user prompts, auditing, and centralized control via MDM, aligning with enterprise IT expectations
• Future-Proofing. Apple continues to evolve its network security model; conforming to its standards ensures continued support without hacks or workarounds

Technical features and differences

🧐 Have questions about 2.x functionality?

Leave a comment below—our team is happy to help clarify and guide you through the transition.