System-Level Website Blocking on macOS: How It Works
If you've ever installed a browser extension to block distracting websites, you've probably noticed the problem: it works until you open a different browser. Or disable the extension. Or open an incognito window. The blocking only exists within the narrow context of one browser's extension system.
System-level blocking is fundamentally different. It operates at the macOS operating system level, affecting all browsers and applications on your machine. Understanding how these different approaches work — and their tradeoffs — helps you choose the right tool.
How Do Browser Extensions Block Websites?
Browser extensions use the WebExtensions API (or Safari's equivalent) to intercept web requests within that specific browser. When you navigate to a blocked URL, the extension catches the request before the page loads and redirects you to a block page.
How it works: The extension registers a listener on the browser's request pipeline. When a URL matches the blocklist, the extension cancels the request or redirects it.
Limitations:
- Only works in the browser it's installed in
- Many extensions are disabled in incognito/private mode by default
- Users can disable or uninstall the extension in seconds
- Doesn't block native apps (YouTube app, Slack, etc.)
- Some extensions can be bypassed by opening the browser's developer tools
Browser extension blockers include StayFocusd, LeechBlock, and BlockSite. They're a starting point, but they rely entirely on the user not choosing to bypass them.
How Does the Hosts File Block Websites?
The hosts file (/etc/hosts on macOS) is a system-level text file that maps domain names to IP addresses. Your computer checks this file before making DNS queries, so entries here override normal domain resolution.
How it works: Add a line like 127.0.0.1 www.youtube.com to the hosts file, and any request to YouTube gets redirected to your local machine (which returns nothing). This affects every browser and application on the system.
Limitations:
- Requires
sudoaccess to edit — you need to open Terminal and use a text editor with admin privileges - Only blocks full domains, not specific paths (you can't block
youtube.com/shortswhile allowingyoutube.com/learning) - Changes persist permanently until you manually remove them — there's no timer integration
- Some applications use hardcoded IP addresses instead of domain names, bypassing the hosts file
- You can undo it just as easily as you set it up — there's no lock-out period
SelfControl for Mac uses the hosts file approach combined with firewall rules, and notably makes the block irreversible until the timer expires — even restarting your computer or deleting the app won't remove the block.
How Does DNS-Based Blocking Work?
DNS blocking intercepts domain name resolution at the network level. Instead of modifying a local file, you change which DNS server your machine queries, using a DNS service that refuses to resolve blocked domains.
How it works: Services like NextDNS, Pi-hole, or OpenDNS let you configure blocklists. When your computer asks the DNS server "what's the IP for twitter.com?" the server returns a blocked response instead of the real IP address.
Limitations:
- Applications can bypass it by using DNS-over-HTTPS (DoH) with a different resolver
- Requires network configuration — changing your DNS settings in System Settings or on your router
- Usually designed for network-wide blocking (good for families, less ideal for individual focus sessions)
- No per-session control — you need to manually change DNS settings to toggle blocking
- Can cause issues with legitimate sites if the blocklist is too aggressive
How Does macOS Screen Time Block Websites?
Screen Time is Apple's built-in content restriction system. It can set time limits for apps and websites, schedule downtime, and restrict content categories.
How it works: Screen Time uses Apple's private frameworks to intercept app launches and web navigation at the system level. When you hit a time limit or enter scheduled downtime, macOS blocks access with a system dialog.
Limitations:
- Designed for parental controls, not self-directed focus
- The "one more minute" button lets you instantly bypass any limit
- You can disable Screen Time entirely with your device passcode
- No integration with focus timers or task management
- Website blocking only works in Safari and apps that use WebKit — Chrome and Firefox are unaffected
- The interface is designed for managing children's screen time, not knowledge worker focus sessions
How Do Accessibility API Blockers Work?
macOS Accessibility APIs were designed to let assistive technology interact with the operating system — screen readers, voice control, switch interfaces. These APIs have deep system access: they can observe which applications are running, which URLs are open in any browser, and send system-level commands.
How it works: An app with Accessibility permissions can monitor active windows across all applications. When it detects a blocked website open in any browser (Chrome, Safari, Firefox, Arc — any of them), it can close the tab, switch the window, or overlay a blocking screen. It can also detect and block native applications.
Strengths:
- Works across all browsers, not just one
- Can block native apps (not just websites)
- Can be session-based — active only during focus sessions
- Doesn't modify system files or network configuration
Limitations:
- Requires the user to grant Accessibility permission in System Settings > Privacy & Security
- Technically possible to revoke the permission to disable blocking (though this requires navigating to System Settings and toggling a switch, which is enough friction to break the impulse)
- Only available on macOS
Focuh uses this approach. When you start a focus session, it monitors all windows and blocks access to sites and apps on your blocklist. When the session ends, blocking stops automatically. The Accessibility permission is a one-time setup step.
How Do Kernel Extensions and Network Extensions Block?
These are the most powerful blocking mechanisms on macOS. Kernel extensions (kexts) operate at the operating system kernel level, while Network Extensions use Apple's newer framework for filtering network traffic.
How it works: Network Extensions create a transparent proxy or content filter that all network traffic passes through. The filter inspects requests and blocks those matching the blocklist. This happens below the application layer, so no browser or app can bypass it.
Strengths:
- The most comprehensive blocking possible — works for all applications, all protocols
- Very difficult to bypass without admin access
- Can inspect encrypted traffic (with proper configuration)
Limitations:
- Requires significant development effort and Apple Developer Program membership
- Apple has been deprecating kernel extensions in favor of Network Extensions
- Network Extensions require specific entitlements from Apple
- Can cause system instability if poorly implemented
- VPN-based blockers use this approach, which means you can't use a VPN simultaneously
Cold Turkey Blocker and some enterprise content filters use Network Extension approaches on macOS.
Which Method Is Best?
It depends on what you need:
| Method | Cross-browser | Cross-app | Timer integration | Bypass difficulty |
|---|---|---|---|---|
| Browser extension | No | No | Sometimes | Very easy |
| Hosts file | Yes | Partially | No | Easy (with Terminal) |
| DNS blocking | Yes | Yes | No | Moderate |
| Screen Time | Safari only | Yes | Schedule only | Easy ("one more minute") |
| Accessibility APIs | Yes | Yes | Yes | Moderate |
| Network Extension | Yes | Yes | Varies | Hard |
For most people who want to block distractions during focus sessions, the Accessibility API approach hits the right balance: it works across all browsers and apps, integrates naturally with a timer-based workflow, and provides enough friction to break the impulse to check Twitter without making your computer unusable.
The hosts file and SelfControl-style approaches are good if you want blocking that you genuinely cannot bypass. The tradeoff is less flexibility — you can't easily adjust your blocklist mid-session or have blocking tied to a specific task.
Browser extensions are fine for gentle reminders but aren't real blocking. If you can disable the blocker faster than you can resist the urge to check a site, the blocker isn't doing its job.
The Bottom Line
The most effective blocking method is the one that works across every browser and app on your system, integrates with your focus workflow, and creates enough friction that your impulse to check distractions fizzles out before you can act on it. For macOS users, that means system-level blocking — whether through Accessibility APIs, network filters, or hosts file manipulation — rather than browser-level extensions that only protect one narrow pathway to distraction.