macOS Firewall Slows DNS Queries
I took packet traces of the DNS queries with the firewall enabled and disabled. What I found is that the DNS query response packet consistently arrives in under 20 milliseconds after the query packet is sent, regardless of whether the firewall is enabled. Thus, it appears that the extra query time added by the firewall is caused by on-device processing of the packets rather than by any network issue.
[…]
On my MacBook Pro running Sonoma, but not on my Mac mini running Sonoma, I frequently experience a bizarre issue where the
digcommand takes over 5 seconds to complete when the firewall is enabled.
DNS queries are several times slower, however this may be fixed in Sequoia.
5 Comments RSS · Twitter · Mastodon
Is it possible to create an exception in the firewall rules?
On my home LAN, I run my own DNS server on a Raspberry Pi. If I could whitelist the Pi's IP address, that would solve my specific instance of the problem.
I wonder if this affects third party firewall apps like Little Snitch?
Glad to hear that Apple actually does fix bugs in macOS from time to time.
> I wonder if this affects third party firewall apps like Little Snitch?
No, it doesn't affect Little Snitch.
If you are testing DNS with Little Snitch installed, you may want to turn off its DNS proxy feature.
Who needs the macOS "firewall", anyway? Serious question—it's old, outdated, non-configurable and incomplete. So why? You can still use pf to implement proper packet filtering, and third-party tools for process-based rules. It's simply never been very good, certainly not as good as the built-in filters on Windows.
