macOS Monitor - DNS Servers Script

Problem Overview

Misconfigured DNS servers can compromise network performance, introduce security vulnerabilities, and lead to connectivity issues. Maintaining consistent DNS configurations across multiple macOS devices is critical, especially when you need to ensure compliance or minimize potential vulnerabilities from unauthorized DNS settings.

Description

This script retrieves the currently configured DNS servers on a macOS machine using the scutil command, then compares them against an approved list defined in a Level custom field (cf_dns). If the script detects any DNS servers that aren’t on the allowed list or finds no DNS configuration at all, it raises an alert. When there’s a match with the approved settings, it reports success, confirming that the device is aligned with your network policies.

You can set up a script-based monitor in Level to run this check on-demand, ensuring immediate alerts when DNS discrepancies appear. Alternatively, incorporate it into a scheduled Level Automation to regularly audit DNS settings across your macOS fleet, automatically detecting and addressing any unauthorized changes.

Script

#!/bin/bash

# This resource is provided as a convenience for Level users. We cannot 
# guarantee it will work in all environments. Please test before deploying 
# to your production environment. We welcome contributions to our community 
# library

# Level Library
# https://level.io/library/script-macos-monitor-dns-servers

# Configured expected DNS servers (comma-separated list)
expected_dns_servers_string="{{cf_dns}}"

# Convert the comma-separated list into an array
IFS=',' read -r -a expected_dns_servers <<< "$expected_dns_servers_string"

# Function to get current DNS servers
get_dns_servers() {
    scutil --dns | grep 'nameserver\[[0-9]*\]' | awk '{print $NF}'
}

# Function to check DNS servers
check_dns_servers() {
    local current_dns_servers=($(get_dns_servers))
    echo "Allowed DNS servers: ${expected_dns_servers[*]}"
    echo "Current DNS servers: ${current_dns_servers[*]}"

    if [ ${#current_dns_servers[@]} -eq 0 ]; then
        echo "ALERT: No DNS servers configured."
        exit 1
    fi

    local match_found=0
    for dns in "${current_dns_servers[@]}"; do
        if [[ " ${expected_dns_servers[*]} " == *" $dns "* ]]; then
            ((match_found++))
        fi
    done

    if [ $match_found -ne ${#current_dns_servers[@]} ]; then
        echo "ALERT: Not all DNS servers are in the allowed list."
        exit 1
    else
        echo "SUCCESS: DNS servers match the allowed list."
    fi
}

# Check if the DNS servers match the allowed list
check_dns_servers

Use Cases

• Confirming approved DNS servers in enterprise settings
• Monitoring remote or mobile employees’ devices for policy compliance
• Ensuring consistent DNS settings in multi-office or distributed environments
• Quickly identifying any unauthorized or mistakenly configured DNS entries

Recommendations

• Test in a non-production environment before widespread deployment
• Use a script-based monitor in Level to detect immediate DNS mismatches
• Schedule regular checks via a Level Automation for ongoing audits
• Keep the cf_dns custom field updated with your authoritative DNS servers
• Investigate any DNS mismatch alerts promptly to maintain stable connectivity

FAQ

• How do I specify my approved DNS servers?
  ‍Update the cf_dns custom field in Level with a space-separated list of allowed DNS addresses.

• Does the script fix DNS settings automatically?
  ‍No, it only detects and alerts on mismatches. You can pair it with a remediation script to adjust DNS servers if needed.

• Which macOS versions are supported?
  ‍Most modern macOS releases that include scutil should work. Test in your specific environment to confirm compatibility.

• What permissions are required?
  ‍It runs with System or Root privileges in Level, allowing full visibility into network configurations.

• Can I customize the alert message?
  ‍Yes, edit the echo statements in the script to suit your preferred notification or logging format.