Apple - macOS keeps reverting to static DNS IP addresses

You can find the cause using the Logger, here are several examples [if you need any detailed info], and at the end I show how to use the best 3 combinations for your case (video included):

On the end, using the 3 commands, they monitor in realtime any DNS changes by directly monitoring the system configuration root daemon, also any Network System Configuration FILE changes, and also the root Network Diagnostic sub-system.

You need to keep those 3 commands open in terminal, UNTIL your DNS issue changes happens, and it will be logged.

Keep them running all the time until the issue happens.

These commands will show you Which process/application/network/whatever is causing the changes, and you can monitor it on Realtime, and also query past events to find the past changes.

1) Filter symptonsd messages:

log show --predicate 'subsystem == "com.apple.symptomsd" AND category != "flow"' --info --debug --signpost --style compact

2) Filter messages about DNS (case insensitive)

log show --predicate 'subsystem == "com.apple.symptomsd" AND category != "flow" AND message CONTAINS[cd] "DNS"' --info --debug --signpost --style compact --last 30m

3) Filtrar atraves do System Configuration por alteracoes: log show --predicate 'subsystem == "com.apple.SystemConfiguration" and category !="SCNetworkReachability" ' --info --debug --signpost --style compact --last 30m

4) Filter what is changing DNS system configuration: log show --predicate 'subsystem == "com.apple.SystemConfiguration" and message CONTAINS[cd] "DNS" ' --info --debug --signpost --style compact --last 10m

5) Filter by the Configuration Daemon: log show --predicate 'subsystem == "com.apple.IPConfiguration" ' --info --debug --signpost --style compact --last 10m

6) Filter via interface using CoreUtils -> InterfaceMonitor log show --predicate 'subsystem == "com.apple.CoreUtils" and category == "CUNetInterfaceMonitor" ' --info --debug --signpost --style compact --last 15m

7) Filter via CoreUtils and rapportd log show --predicate 'subsystem == "com.apple.CoreUtils" and process == "rapportd" ' --info --debug --signpost --style compact --start "2019-08-11 14:21:45" --end "2019-08-11 14:22:00"

8) All CoreUtils events at the same time/date interval [as above]: log show --predicate 'subsystem == "com.apple.CoreUtils" ' --info --debug --signpost --style compact --start "2019-08-11 14:21:45" --end "2019-08-11 14:22:00"

9) Filter all events CoreUtils -> System Monitor at the same interval: log show --predicate 'subsystem == "com.apple.CoreUtils" and category == "CUSystemMonitor" ' --info --debug --signpost --style compact --start "2019-08-11 14:21:45" --end "2019-08-11 14:22:00"

---

The 3 commands DNS Realtime Monitor

I made a video, about using 3 of them. I think they are the best for you and will for sure help you find the reason and when/who/what is changing your MacOS DNS configuration.

Open iTerm with 3 split terminal screens, or open 3 macOS Terminal windows.

Put each command below on each specific terminal window.

Keep them running all the time until the DNS issue happens and your DNS changes. And they will be logged on the 3 terminal windows.

log stream --predicate 'subsystem == "com.apple.IPConfiguration"


log stream --predicate 'subsystem == "com.apple.symptomsd" AND category != "flow" AND message CONTAINS[cd] "DNS"' --info --debug --signpost --style compact


log stream --predicate 'subsystem == "com.apple.SystemConfiguration"  and (message CONTAINS "com.apple.system.config.network_change" OR message CONTAINS "changedKeys") and (message CONTAINS[cd] "DNS") ' --info --debug --signpost --style compact

On the video I am using the 3 commands below on iTerm split window:

Youtube link for the video:

https://youtu.be/yebQH6dEZvU

---

Temporary helper debug stuff

Contents of an original clean Mojave /Library/Preferences/com.apple.networkextension.plist file

$ defaults read /Library/Preferences/com.apple.networkextension.plist

{
    "$archiver" = NSKeyedArchiver;
    "$objects" =     (
        "$null",
                {
            "$class" = "<CFKeyedArchiverUID 0x7ffbd1402c20 [0x7fff9c6698e0]>{value = 2}";
            "NS.data" = <04000001 00000000 ff560d00 03000000 c90c4f5d 00000000 c1529216 00000000 a5080000 00000000>;
        },
                {
            "$classes" =             (
                NSMutableData,
                NSData,
                NSObject
            );
            "$classname" = NSMutableData;
        }
    );
    "$top" =     {
        SCPreferencesSignature2 = "<CFKeyedArchiverUID 0x7ffbd1402ea0 [0x7fff9c6698e0]>{value = 1}";
        Version = 1;
    };
    "$version" = 100000;
}

I had a very similar issue that was being co-opted by an app that I have from DYNDNS called DynUpdater. I removed their app and the issue went away. I would assume that any Dynamic DNS update application may play similar tricks. I had this app to refresh my dynamic IP to DYN for my domain. Maybe its time to pay for a static IP from my ISP if I want to host from home. Hope this helps someone. This issue has baffled me for at least a year and I just now finally took the time to dig into it. I have 20 years as a Sr Network Engineer working at the CCIE level and this was baffling me.