Apple - What is the best way to block ocsp.apple.com on mac?

A quick and easy solution is to use your system's hosts file to redirect requests to localhost.

sudo sh -c 'echo "127.0.0.1  ocsp.apple.com" >> /etc/hosts'

Then you'll want to make sure this has been applied by clearing the DNS cache - which on the latest version is done by forcing the DNS responder to restart:

sudo killall -HUP mDNSResponder

The best way is to block it at the Internet gateway as you won't be successful blocking locally it at the machine.

Big Sur has apparently got a new API that prevents apps like Little Snitch from blocking those connections and will even circumvent your VPN

Source: sneak.berlin

The version of macOS that was released today, 11.0, also known as Big Sur, has new APIs that prevent Little Snitch from working the same way. The new APIs don’t permit Little Snitch to inspect or block any OS level processes. Additionally, the new rules in macOS 11 even hobble VPNs so that Apple apps will simply bypass them.

So, if Apple makes Little Snitch useless and even bypasses your VPN to call home to report what, where, when and even how you use your Mac then the only way to do this is at the network gateway. So, while Apple can force the machine to behave the way it wants, it still has to send packets over the network. Block all outgoing traffic at the router to http://ocsp.apple.com and there's nothing Big Sur can do about it.

Using pfSense.

I'm a big proponent of using "commercial grade" routers and networking gear even in the home. pfSense makes some excellent hardware appliances but their firewall software is available for download, for free. You just need a cheap core 2 duo PC (small form factor is best, but any desktop or tower will do), a small SSD (32GB is more than enough) and an additional NIC card (quad Ethernet cards can be had for less than $50USD). This will give you a very efficient router using the same firewall software enterprises use.

Step one: Identify the IPs needed to block. Simply pinging ocsp.apple.com will give you their IP - 17.253.13.206. However, there are probably fallbacks so an nslookup would be advisable (nslookup ocsp.apple.com and it yields two more IPs - 17.253.13.207 and 17.253.13.201.

Step two: Create an alias to reference this list of hosts. pfSense allows you to have aliases to individual hosts, a list of hosts, and even whole networks. The benefit here is that you can write the rule once and as the networks change and evolve over time, all you have to do is edit the alias and not the rule. Below is a screen capture of the alias configured in pfSense for all three hosts.

enter image description here

Step 3: Write the LAN rule to block/reject the traffic. Simply create the LAN rule to block any connections to OCSP alias (list of hosts). The source can (and should) be "any," but you could configure this for just one Mac or any/all Macs behind the firewall. Use both IPv4 and IPv6 to ensure all your bases are covered. Same with TCP and UDP. Below is the rule summary screen showing this configuration.

enter image description here

Step 4: Apply the changes. You may find in your testing (as I did) that nslookup didn't provide all the hosts and there's apparently a range of IPs from 17.253.13.201 through .207. pfSense allows you to select ranges by using the syntax: 17.253.13.201 - 17.253.13.207 and it will auto generate each host. To test, simply ping using the DNS name or any of the the IP addresses in the range.

Optionally, you can have these attempts logged as well (you can even do this prior to blocking) so you can see every time your Mac(s) reach out and call home and using optional plugins like Snort you can capture the actual packet data and see what's being transmitted (and received).