MacOS High Sierra not trying other DNS servers

dnshigh sierramacos

On one of my laptops which is running macOS High Sierra, is failing to resolve hostnames. I have specified two DNS servers in my network settings. One is an internal DNS server, and the other is 8.8.8.8. When I try to resolve local hostnames that the internal DNS knows, it resolves properly. But when I try to resolve something like google.com it fails.

I see that it tries to use the internal DNS server first, and since it doesn't know the hostname, I thought it would try to use 8.8.8.8 to resolve the hostname, but it never tries the other DNS server.

When I try this from my other laptop, it works properly i see

$>nslookup google.com
;; Got SERVFAIL reply from <internal dns>, trying next server
Server:     8.8.8.8
Address:    8.8.8.8#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.5.110

But from the one where it doesn't I see

$>nslookup google.com
Server:        <internal dns>
Address:    <internal dns>#53

** server can’t find google.com: SERVFAIL

There is no attempt to try the 8.8.8.8 DNS server. Why is that happening? How can I get it to try the other DNS server if it fails with one.

Best Answer

First: nslookup does not use the system DNS resolver, and does not behave the same way that the system resolver does. Neither do dig or host, so none of these tools are useful for checking how macOS resolves names. If you want to use the system resolver, use dscacheutil -q host -a name google.com, but note that it uses the entire resolution system -- it looks in the local cache, /etc/hosts, mDNS (for .local names), and then DNS. Oh, and the man page for dscacheutil claims it can flush the DNS cache, but it doesn't work; use sudo killall mDNSResponder instead.

Second: the system resolver does not do a good (or even adequate) job of failing over between DNS servers. If you list multiple servers, it'll fire off queries to all of them in a sort of randomized-round-robin fashion. If it doesn't get a response, it'll eventually time out and try the other one. If it gets a "that doesn't exist" response, it assumes that's correct and doesn't try any other server. As a result, you really need a single server that can answer all queries, both internal and external.

Ok, there's one possible workaround: you can point your system at a public DNS server, then create /etc/resolver/ and put files in it to redirect queries for certain domains to your internal server. Provided you know what domains to redirect, that is. See Apple.SE: "Do /etc/resolver/ files work in Mountain Lion for DNS resolution?".

Related Solutions

MacOS – How to fix when I can nslookup and dig an internal hostname, but I cannot ping or ssh to the internal machine

Starting from Lion (except Yosemite between 10.10 and 10.10.3), the command for flushing the DNS cache is:

$ sudo killall -HUP mDNSResponder

There is a solution at https://superuser.com/questions/326848/strange-ns-behavior-on-os-x-cant-connect-to-ssh-server.

MacOS – List DNS servers in Mavericks

First, if networksetup -getdnsservers <service name> does not show anything, you don't have anything listed in System Preferences > Netowrk under "DNS Servers:".

Second, it is important to note that OS X does not handle DNS like most systems. Per https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/resolver.5.html Essentially this means that OS X has multiple DNS clients depending on your configuration. The result of these multiple services means that there are situations whereby using Safari to access a website (http://www.example.com) will take you to an IP address that OS X has retrieved from DNS (say 1.2.3.4) while at the same time, performing a dig

$ dig www.example.com

will return different results. (perhaps 2.3.4.5)

The reason for this lies in the way that OS X handles DNS.

If you run $ man dig you get among other things, the following:

Mac OS X NOTICE The dig command does not use the host name and address resolution or the DNS query routing mechanisms used by other processes running on Mac OS X. The results of name or address queries printed by dig may differ from those found by other processes that use the Mac OS X native name and address resolution mechanisms. The results of DNS queries may also differ from queries that use the Mac OS X DNS routing library.

Also $man nslookup will return something similar

Mac OS X NOTICE The nslookup command does not use the host name and address resolution or the DNS query routing mechanisms used by other processes running on Mac OS X. The results of name or address queries printed by nslookup may differ from those found by other processes that use the Mac OS X native name and address resolution mechanisms. The results of DNS queries may also differ from queries that use the Mac OS X DNS routing library.

All this is really a rather lengthy way of saying, the best way to see what DNS servers are being used is to look at System Preferences > Network

The "DNS Server:" entires are usually there, and "Search Domains:" will allow you to search for incomplete addresses.

If "DNS Server:" is not present, then OS X will try to use the address in "Router:" for DNS.

AND, on top of all this fun, there are utilities and other processes that may not be using the OS X DNS Routing Library, and they will be hitting the contents of /etc/resolv.conf directly.

The short short answer is this:

If you go by the contents of System Preferences > Network, you are looking at the same thing that most processes are using.
The Contents of System Preferences > Network, should populate /etc/resolv.conf, but not always.
Some other processes (like dig and nslookup) are accessing /etc/resolv.conf directly.

And, on top of all this - If you are not using the VPN clients built in to OS X, it is possible that additional routes and DNS servers are being used that networksetup -getdnsservers <service name> will not show. Your VPN client may have the ability to show you the routes and DNS servers, I know that mine does.

I know that this does not precisely answer your question, but hopefully this helps you realize that it is not always easy to find out what the "truth" is regarding DNS on a Mac. Generally you are safe assuming that the contents of System Preferences > Network, or the contents of networksetup -getdnsservers <service name> are where you are getting your DNS from. However if things seem weird, keep in mind that there are other possibilities too. Use dig to help determine if there are differences afoot.

Last, for those readers who are wondering how to get the <service name> in networksetup -getdnsservers <service name>, try using networksetup -listallnetworkservices

Bill

Best Answer

Related Solutions

MacOS – How to fix when I can nslookup and dig an internal hostname, but I cannot ping or ssh to the internal machine

MacOS – List DNS servers in Mavericks

Related Question