MacOS – Internet Sharing handing out wrong DNS server address

dnsinternet-sharingmacosNetwork

I'm using a MacBook Pro with OS X Mavericks 10.9.2. It connects to the internet via a USB 3G dongle, and I want to share that internet connection via wifi. However, on devices that connect to the created wifi access point, DNS lookup will not work (though I can ping 8.8.8.8 just fine). If I statically configure the devices to use 8.8.8.8, everything works, but not every device supports that (or only if you're also willing to configure a static IP and gateway).

The problem seems to be that OS X configures bootp (the DHCP server) to hand out a DNS server address of the MacBook itself:

$ cat /etc/bootp.list
...
            <key>dhcp_domain_name_server</key>
            <array>
                <string>192.168.2.1</string>
            </array>
...

This is indeed the IP address of the machine itself:

$ ifconfig
...
bridge100: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    options=3<RXCSUM,TXCSUM>
    ether 02:26:bb:66:19:64
    inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
...

And it's what clients are receiving in the DHCP response:

$ sudo tcpdump -vv
15:26:07.265635 IP (tos 0x0, ttl 255, id 9846, offset 0, flags [none], proto UDP (17), length 328)
    192.168.2.1.bootps > 192.168.2.2.bootpc: [udp sum ok] BOOTP/DHCP, Reply, length 300, xid 0x4e0988af, Flags [none] (0x0000)
      Your-IP 192.168.2.2
      Server-IP 192.168.2.1
      Client-Ethernet-Address 10:bf:48:cc:49:7d (oui Unknown)
      sname "ip-77-24-232-37.web.vodafone.de"
      Vendor-rfc1048 Extensions
        Magic Cookie 0x63825363
        DHCP-Message Option 53, length 1: ACK
        Server-ID Option 54, length 4: 192.168.2.1
        Lease-Time Option 51, length 4: 85536
        Subnet-Mask Option 1, length 4: 255.255.255.0
        Default-Gateway Option 3, length 4: 192.168.2.1
        Domain-Name-Server Option 6, length 4: 192.168.2.1

Now, that would be fine if it actually worked as written here, i.e. OS X runs a bind (named) server itself, that just forwards DNS requests and responses to the ISP's servers.

However… using tcpdump I can see that the client is getting an error response from its DNS lookups:

$ sudo tcpdump
15:23:33.181447 IP 192.168.2.2.57291 > 192.168.2.1.domain: 32713+ A? google.com. (28)
15:23:33.181528 IP 192.168.2.1 > 192.168.2.2: ICMP 192.168.2.1 udp port domain unreachable, length 36

Indeed, no named server is running, and it doesn't even seem to be installed:

$ ps aux | grep named
thomas           2175   0.0  0.0  2423368    188 s000  R+    3:14pm   0:00.00 grep named
$ which named
$

Nothing else is listening on UDP port 53 either, though there is a thing called mDNSResponder on 5353:

$ sudo lsof -i -P | grep 53
mDNSRespo   47 _mdnsresponder    8u  IPv4 0x4dcb7c0f075daa1d      0t0    UDP *:5353
mDNSRespo   47 _mdnsresponder    9u  IPv6 0x4dcb7c0f075da835      0t0    UDP *:5353
natpmpd   1664           root    4u  IPv4 0x4dcb7c0f064b6f15      0t0    UDP 192.168.2.1:5351

Now I can think of two ways to fix this, neither very practical:

  1. Run some DNS server on UDP port 53. Unfortunately, none is installed.
  2. Tell DHCP to hand out a DNS server address that actually works, like 8.8.8.8. Unfortunately, the InternetSharing application overwrites /etc/bootp.plist each time internet sharing is turned on, so even if I added an IP address there and even if it would work, it wouldn't work forever.

But something tells me that this should (and usually does) work correctly out of the box… what am I missing?

Best Answer

The article you reference was indeed correct for when it was published and that's how it works prior to Mavericks. Under Mountain Lion 'named' get's launched when Internet Sharing is active with /etc/com.apple.named.proxy.conf as the config file. This is all observable under Mountain Lion - I verified it.

However, domain name resolution isn't just based on DNS under OS X like it is in other OSen, but instead it's based on Directory Services -- which permits DNS lookups from flat-files, NIS, NetInfo, LDAP, ZeroConfig/Bonjour ... and DNS -- and it's mDNSResponder that's used for resolution of these name turns. (As per its man page mDNSResponder is also the system-wide Unicast DNS Resolver. It's what is (or should) doing the DNS resolution for your Internet Shared clients under Mavericks. (It was odd that they fired up named under Mt Lion rather than using mDNSResponder back then.)

When Internet Sharing is activated either named (pre-Mavericks) or mDNSResponder (Mavericks) is the "DNS server" that should perform name resolution for Internet Sharing, and that correctly makes 192.168.2.1 the DNS server for the NAPT'ed clients of Internet Sharing. So the straight and simple answer to your questions is that it's not handing out the "wrong DNS server address".

This demonstrable worked for me setting up Internet Sharing to share out my WiFi connection via Ethernet. Clients served by Internet Sharing sent DNS requests to 192.168.2.1 were observed to receive there queries correctly from a browser and when issuing dig @192.168.2.1 apple.com; I observed this in action with tcpdump to verify. Everything "just works" as you'd expect.

I note that in this configuration from the hosting Mac I'm also able to telnet 192.168.2.1 53 and connect to mDNSResponder. I also note that I have the Service Order for the configured networks set with WiFi having precedence over the Ethernet.

However when running this in reverse, sharing the Ethernet connection via WiFi I initially experienced the same issue you were seeing. Namely I saw the UDP DNS request sent over but no response back, just like you observed. Ping passed through to 8.8.8.8 and resolving against 8.8.8.8 using dig worked fine too. I was all prepared to write this up as a bug but I later had the opportunity to restart my MacBook Pro and tried this again, also assuring this time I had Ethernet having precedence over WiFi in the Network preference pane Service Order. This time it "just worked" and I wasn't able to recreate the issue. Problem solved by reboot and checking service order.

Additionally I verified that I could:

  • Issue a dig @192.168.2.1 apple.com from a client (assigned 192.168.2.3) of Internet Sharing and receive a successful response. I also observed the UDP query and response using tcpdump:

01:01:05.620240 IP 192.168.2.3.58817 > 192.168.2.1.domain: 34923+ A? apple.com. (27) 01:01:06.051566 IP 192.168.2.1.domain > 192.168.2.3.58817: 34923 3/0/0 A 17.149.160.49, A 17.172.224.47, A 17.178.96.59 (75)

  • From the hosting Mac was able to telnet 192.168.2.1 53 and receive a connection.

Internet Sharing has always been a bit fragile. I've often seen weird behavior and have found it's best to restart before attempting to run Internet Sharing or at least to "Make [the] Service Inactive" in Network Preferences for the interfaces in question and then set them active again. (Be sure also to "Apply" when making such changes".) Additionally the Service Order (which controls the default gateways) can also have an impact (as would be expected.) You may also wish to make sure you're using the Apple supplied Location "Automatic" (or a reasonable facsimile). Remember when debuging also that each network interface can have it's own gateway and prefered DNS server to use since after around Leopard or so.

So I'd suggest three things: (1) a reboot and confirm your network service order precedence and/or (2) a clean install of Mavericks to see if this resolves your issues, as well as (3) verify you can get Internet Sharing working where Ethernet is shared out over WiFi and vise versa. If you can't make (3) work then you need to look at something specifically configured wrong on your Mac and again that suggests a clean install.

If you can get it working for Ethernet -> WiFi and WiFi -> Ethernet, this suggests something with the USB Dongle -- and perhaps adjusting the Service Order so it's a higher precedence may be required.

Make sure also you don't have any Firewall rules or are running Little Snitch or anything that may interfere.

Internet Sharing appears also to have some debugging options if you issue

$ /usr/libexec/InternetSharing --help

These, and it's log file, along with the log file for mDNSResponder, might also be useful if you're still having issues.

But as the answer to the question: It's not handing out the wrong DNS server address in DHCP as 192.168.2.1 is the "right" DNS server for Internet Sharing to be handing out based on how it's designed to operate. And mDNSResponder is what should be handling DNS on the host running Internet Sharing under Mavericks. No `named is needed.

Related Question