My MacBook is bound to a Windows Active Directory domain. For the computer to keep contact with the domain controller, the DNS server needs to be set to the IP address of that controller. However, since we are talking about a laptop, it often goes off-site where so that DNS server is not available. In Windows, this is a very easy fix as the DNS settings are customized for different networks. I cannot figure out how to do this for macOS without manually changing it when I need to.
MacBook Active Directory – How to Bind MacBook to Active Directory Domain
active-directorydnsNetwork
Related Solutions
I think the DNS settings for each device are independent, so you need to configure DNS in the Advanced tab of system preferences for each NIC (en0, en1, etc.)
You can specify the DNS servers that will be used for specific domains, but AFAIK this requires you to run BIND (named
) on your machine. In this situation, your computer would be running a named
process, and will have its configuration file setup to forward DNS requests for most queries to your ISP (i.e., the DNS servers that you were using before Google's Open DNS). This also allows you to specify domains in which you'd like the 'alternative' DNS server to be queried. Once you've got named
up and running, you could then configure System Preferences to use your loopback address (127.0.0.1) for DNS lookups. The /etc/named.conf
file for this configuration (based on Apple's default named.conf
) would look something like:
//
// Include keys file
//
include "/etc/rndc.key";
// Declares control channels to be used by the rndc utility.
//
// It is recommended that 127.0.0.1 be the only address used.
// This also allows non-privileged users on the local host to manage
// your name server.
//
// Default controls
//
controls {
inet 127.0.0.1 port 953 allow {any;}
keys { "rndc-key"; };
};
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
// *** forward all DNS lookups to these servers
forwarders { 8.8.8.8; 8.8.4.4; };
};
//
// a caching only nameserver config
//
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
// *** requests for records in this zone will be forwarded to 10.0.0.5
zone "test.example.com" IN {
type forward;
forwarders { 10.0.0.5; 10.0.0.6; };
forward only;
};
logging {
category default {
_default_log;
};
channel _default_log {
file "/Library/Logs/named.log";
severity info;
print-time yes;
};
};
Configuring named
Before starting named
, it may be necessary to generate the rndc key that's being used for rndc control:
sudo rndc-confgen -a
Note: the only portion of the default /etc/named.conf
file that was modified above is the line in "options" that specifies the forwarder DNS servers (the ones that will answer most of your queries), as well as a zone entry for the "special" zone that you'd like to perform split horizon lookups for.
In this example, all queries are forwarded to the DNS servers 8.8.8.8 and 8.8.4.4 (Google Open DNS) with the exception of queries for records in the "test.example.com" domain (which are forwarded to 10.0.0.5 and 10.0.0.6).
Forwarder options
// *** forward all DNS lookups to these servers
forwarders { 8.8.8.8; 8.8.4.4; };
Zone to forward
// *** requests for records in this zone will be forwarded to 10.0.0.5 and 10.0.0.6
zone "test.example.com" IN {
type forward;
forwarders { 10.0.0.5; 10.0.0.6; };
forward only;
};
Test your local named
configuration
Next, you can test your named
installation by running it in the foreground (before committing to the setup):
sudo /usr/sbin/named -g
In another Terminal window, query your local DNS server to confirm that it is working:
nslookup apple.com 127.0.0.1
Make sure that your "special" forwarding zone is being utilized:
nslookup test.example.com 127.0.0.1
Setup named process to start at boot
Once you see that the lookups are working as expected, you can kill the named
process that's running in the foreground of the first Terminal window by issuing an interrupt using the "Control"+"C" key command (^C
).
It's possible to start the DNS server every time the machine boots by enabling the launch daemon job for that process:
sudo launchctl load -w /System/Library/LaunchDaemons/org.isc.named.plist
Lastly, you'd configure that the local machine's loopback address be used as the DNS server in System Preferences -> Network.
How to remove configuration and setup
This setup could potentially cause network problems (if not configured correctly). Here are some instructions on how to undo this setup:
1.) Remove the DNS server (127.0.0.1) from the network interface that you configured in System Preferences.
2.) Disable the launchd
job that causes named
to start on boot:
sudo launchctl unload /System/Library/LaunchDaemons/org.isc.named.plist
Related Question
- MacOS – Bind Secondary Groups to Active Directory w/ Unix Extensions
- Configure to Select DNS based on Domain
- OS X Server bound to Active Directory, but OS X Clients who are logged in as AD users prompted for username when connecting to OS X server file shares
- MacOS – Network homes / synchronized mobile homes with OS X and Active Directory
- MacOS – OS X Server & Time Machine for Active Directory Users
- macOS Sierra – Fix SSH Active Directory Login Issues
Best Answer
My Macbook is also bound to a AD domain, but I do not have any such DNS issues. DNS settings are configurable per network connection type in System Preferences. System Preferences>Network>Advanced>DNS.
Simply edit (if allowed?) the DNS entry for the connection type. You can have more than two DNS entries, so for example, you might simply ADD Google DNS to the work DNS. In this case, if the work DNS are not available, it will fail-over to Google DNS.
You could do this for all network types, or perhaps just for wifi, if you use a hardline at work.