macOS 26.1 broke custom DNS configuration for thousands of developers using encrypted DNS profiles, VPN services, and local development environments with .internal domains. The issue, trending on Hacker News TODAY with 182 points and 87 comments, affects three critical areas: encrypted DNS profile installation is blocked, custom TLD resolution via /etc/resolver/ is broken, and VPN DNS integration fails when encryption is enabled. Apple hasn’t issued a statement or timeline. Developers are scrambling for workarounds.
Three Separate DNS Regressions
macOS 26.1 didn’t just break DNS—it broke three distinct systems. First, installing encrypted DNS profiles via .mobileconfig files fails with the error “The ‘VPN Service’ payload could not be installed,” even though these profiles contain no VPN payload, only DNS settings. Second, the /etc/resolver/ per-domain DNS resolver mechanism is silently broken for custom TLDs like .internal, .local, and .test. Third, VPN services that rely on custom DNS configurations experience resolution failures when encryption is enabled.
The technical cause varies by issue. For encrypted DNS, macOS changed how it validates configuration profiles, now incorrectly treating DNS Settings payloads as VPN payloads. For /etc/resolver/, mDNSResponder intercepts queries for non-IANA TLDs and treats them as multicast DNS, never consulting the unicast nameserver specified in your resolver file. For VPN DNS, the system forces plain DNS on port 53 when encryption is enabled, breaking the entire security model.
Understanding these are separate bugs helps identify which workarounds apply to your situation. A developer trying to install encrypted DNS from Mullvad needs different solutions than someone trying to resolve Docker containers at .internal domains.
Who’s Affected and How
Privacy-focused developers using encrypted DNS from Mullvad, NextDNS, AdGuard, or Quad9 can’t install or update configurations. Existing profiles continue working, but if you remove one, you can’t reinstall it. Corporate VPN users with Tailscale, OpenFortiVPN, or proprietary VPNs can’t resolve internal domains when using custom DNS servers. Local development environments using Docker with .test or .internal domains become completely unreachable.
The Hacker News discussion shows the breadth: “Docker containers becoming unreachable after upgrading from macOS 15” and “users running dnsmasq-dependent setups advised to hold off upgrading.” The Privacy Guides community issued a PSA: “As of macOS version 26.1, encrypted DNS server profiles from providers like Mullvad cannot be installed, though existing ones continue to work.”
If you use default ISP DNS and don’t develop locally with custom domains, you’re fine. Everyone else should pay attention.
Working DNS Workarounds (with Trade-offs)
Three workarounds exist, none perfect. The first is manual /etc/hosts entries. This works reliably but requires sudo, doesn’t support wildcards, and means manually managing every domain. Add entries like this:
sudo nano /etc/hosts
# Add:
192.168.1.100 app.internal
192.168.1.101 api.internal
# Flush DNS cache
sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponderThe second workaround is using *.localhost domains for local development. Modern browsers resolve these to 127.0.0.1 automatically. The catch? This only works in browsers. CLI tools like curl, wget, and ssh don’t recognize *.localhost, making it useless for API testing or SSH connections.
The third option is public wildcard DNS services like nip.io or lvh.me. These work system-wide—browsers and CLI tools both function. The downsides? You need an internet connection for DNS resolution, and you’re exposing your local IPs in DNS queries to a third-party service:
http://myapp.127.0.0.1.nip.io # Resolves to 127.0.0.1, works everywhereFor encrypted DNS, there’s no workaround for new installations. Keep existing profiles if you have them, or configure encryption at the router level if your router supports it.
Apple’s Communication Failure
Apple hasn’t acknowledged these regressions. No statement on the Developer Forums. No mention in macOS 26.2 release notes, which also introduced additional network bugs. The Hacker News community’s verdict: “No confirmed working fix exists for the underlying DNS resolver issue in macOS 26.”
This silence leaves developers in limbo. Should enterprise IT teams delay macOS 26 rollouts? Should individuals implement workarounds as permanent solutions? Without an ETA from Apple, nobody knows whether to invest time in comprehensive fixes or wait for an official patch. The community is filling the void Apple created, but that’s not how vendor support should work.
Should You Upgrade to macOS 26?
Defer macOS 26 if your workflow depends on custom DNS, encrypted DNS profiles, .internal/.local domains, or VPN access to corporate resources. The risk isn’t worth it. Test on a non-critical machine first if you’re unsure.
If you’ve already upgraded, take action immediately. Preserve existing encrypted DNS profiles—don’t remove or modify them. Migrate local development to *.localhost if you work primarily in browsers, or use nip.io if you need CLI tool compatibility. Implement /etc/hosts entries for critical internal services, acknowledging the manual maintenance burden. For broken workflows you can’t restore, consider rolling back to macOS 25 via Time Machine if you have a recent backup.
The uncomfortable truth: these workarounds may be permanent. Apple’s track record suggests a fix will come eventually, but their silence provides no timeline. Treat your workarounds as long-term solutions, not temporary patches.
Key Takeaways
- Defer macOS 26 upgrades if you use custom DNS, encrypted DNS, VPNs, or .internal/.local domains for development—the regressions will break your workflow
- Three distinct bugs affect encrypted DNS profile installation, /etc/resolver/ custom TLD resolution, and VPN DNS integration; understanding which affects you determines the right workaround
- Practical workarounds include /etc/hosts entries (reliable but manual), *.localhost domains (browsers only), or nip.io/lvh.me (system-wide but requires internet)
- If you have existing encrypted DNS profiles installed, preserve them—you cannot reinstall after removal in macOS 26.1
- Apple has issued no statement or timeline despite widespread reports; treat workarounds as potentially permanent solutions rather than temporary fixes
