preloader
Macbook

Domain-specific DNS on your Macbook

By Jamie Duncan 11 November 2019
Domain-specific DNS on your Macbook

DNS is hard. all. the. time.

I recently moved to a Macbook Pro for my primary work laptop. I keep a Fedora 31 laptop handy, and I have a decent-sized home lab to doing Linux-y things. For browsing and surfing thoughs, a Macbook is a pretty good experience.

My home lab is what caused me to have to dig this up. My home network is Ubiquiti hardware, and it automatically manages my internal DNS zones and hostnames. I ❤ it. On my Linux laptop, I would quickly configure dnsmasq and be done with it.

But my work laptop automatically connects to my work VPN. Because my employer manages my configuration remotely, how can I have my home lab domain, int.jduncan.io not get pushed out to public servers for resolution where it will fail? Turns out, it’s really easy to set specific DNS resolvers for various domains.

First, check out your DNS configuration using $ scutil –dns . You’ll see a lot of different resolvers configured. In my case resolver #1 is what is handling my DNS lookups, then #2 handles the .local domain. Resolver #3 is the reverse lookup for the 169.254 APIPA address space, and so on. The root DNS servers for the internet are also listed.

scutil --dns
DNS configuration

resolver #1
  search domain[0] : vmware.com
  search domain[1] : eng.vmware.com
  nameserver[0] : 10.84.54.30
  nameserver[1] : 10.84.54.31
  flags    : Request A records
  reach    : 0x00000002 (Reachable)
  order    : 50000

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

To add an additional resolver to a Mac, create a directory at /etc/resolver.

$ sudo mkdir /etc/resolver

For each domain that you want to hit a specific nameserver, create a file with the name of your desired domain and a nameserver line (or lines) in the file. For my internal domain I used the following command:

cat 'nameserver 192.168.1.1' > /etc/resolver/int.jduncan.io

Now, when I run scutil –dns again I see my newly created resolver:

resolver #8
  domain   : int.jduncan.io
  nameserver[0] : 192.168.1.1
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

A quick lookup confirms that my configuration is doing what I want it to do. Another thing I discovered when looking into this is that dig and nslookup on OSX don’t use the OS resolver configuration.

$ dscacheutil -q host -a name vcenter.int.jduncan.io
name: vcenter.int.jduncan.io
ip_address: 192.168.10.110

And that’s it. If I want to configure forward or reverse zones to resolving using a specific nameserver on OSX it’s that simple.

comments powered by Disqus