macOS – Using launchctl and dnsmasq for Localhost Domain Spoofing

dnslaunchdweb app

I am usually a Linux user, but I would like to test my mojolicious webapp on a macOS system. thus, I would like *.test *.*.test and *.*.*.test all to resolve to 127.0.0.1, where my webapp is eagerly listening on port 80 .

I understand that this is best done by installing dnsmasq. For macOS,

# brew install dnsmasq

and then

# echo "address=/test/127.0.0.1" >> /usr/local/dnsmasq.conf
# launchctl start dnsmasq
# launchctl list | grep dns
89254   0   homebrew.mxcl.dnsmasq

so, if I understand this correctly, ping abc.test should now ping localhost. alas, it does not. (or, is there a better way to test?)

I also do not understand how to shut down and restart dnsmasq. launchctl restart dnsmasq, launchctl kill dnsmasq.mxcl.dnsmasq, and launchctl disable 89254 (and many permutations thereof) all seem to elicit scorn but no results.

Best Answer

You've not said which version of MacOS you're on; my reply here is from macOS Sierra Version 10.12.5. (I'm using it in order to run tests against a VMWare installation of ADCS...)

First, the commands to stop and start dnsmasq are:

sudo launchctl stop homebrew.mxcl.dnsmasq
sudo launchctl start homebrew.mxcl.dnsmasq

ETA If launchctl stop doesn't actually stop it, it's likely that the .plistfile (presumably /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist contains the lines

<key>KeepAlive</key>
<true/>

If you don't want it to be always on, change that to

<key>KeepAlive</key>
<false/>

instead. Or you can disable it with

sudo launchctl disable homebrew.mxcl.dnsmasq

The next time you want to turn it on, run

sudo launchctl enable homebrew.mxcl.dnsmasq

Second, you should check the other values of your dnsmasq.conf file. Here's mine:

[jenny@temeraire ~] $ grep -v ^# /usr/local/etc/dnsmasq.conf | grep -v ^$
domain-needed
bogus-priv
resolv-file=/usr/local/etc/resolv.conf
server=/ad.dybedahl.se/192.168.226.10
server=/226.168.192.in-addr.arpa/192.168.226.10
listen-address=127.0.0.1
no-negcache

Note the line resolv-file. It tells dnsmasq which nameservers to use for hosts that aren't in the dnsmasq config. In my case, it looks like this:

[jenny@temeraire ~] $ more /usr/local/etc/resolv.conf 
nameserver 8.8.8.8
nameserver 8.8.8.4

So all DNS lookups that aren't answered by my virtual AD server will be handled by Google's nameservers, meaning that I can still connect to hosts that aren't in my config.

Third, to debug whether dnsmasq acts properly, don't use ping. Instead, use dig, like so:

dig @127.0.0.1 abc.test

To test whether your system is using dnsmasq as its resolver, again use dig:

dig abc.test

It will tell you what nameserver it's using, among other things.

Dig will give you information about how the lookup is actually done.

Fourth, in order to use dnsmasq as your resolver, you need to also change /etc/resolv.conf to point to 127.0.0.1 instead of whatever it now points at. You should start by copying your current /etc/resolv.conf to /usr/local/etc/resolv.conf, so that dnsmasq will know what nameservers to use. Then change /etc/resolv.conf to read

nameserver 127.0.0.1

On my laptop, I do this in System Preferences -> Network -> DNS. I'm not sure how you do it on a server; perhaps simply editing the file will work.

TL;DR

You typically want to use launchctl load -w and launchctl unload -w.
start and stop are usually reserved for testing or debugging a job.

Details

launchctl start <label>: Starts the job. This is usually reserved just for testing or debugging a particular job.
launchctl stop <label>: Stops the job. Opposite of start, and it's possible that the job will immediately restart if the job is configured to stay running.

launchctl remove <label>: Removes the job from launchd, but asynchronously. It will not wait for the job to actually stop before returning, so no error handling on this one.

launchctl load <path>: Loads and starts the job as long as the job is not "disabled."
launchctl unload <path>: Stops and unloads the job. The job will still restart on the next login/reboot.

launchctl load -w <path>: Loads and starts the job while also marking the job as "not disabled." The job will restart on the next login/reboot.
launchctl unload -w <path>: Stops and unloads and disables the job. The job will NOT restart on the next login/restart.

Where do I find the job label for a daemon, is it in the plist file?

Yes, it's in the plist file and it typically matches the filename of the plist file.

Using tmux and pbpaste, pbcopy, and launchctl

Okay, I found a solution...

Chris Johnsen has a good writeup of what causes this problem on github.

His tools work, but a better solution, if you have homebrew installed to:

brew install reattach-to-user-namespace

Then in your ~/.tmux.conf add these lines:

set-option -g default-command "reattach-to-user-namespace -l zsh" # or bash
bind C-c run "tmux show-buffer | reattach-to-user-namespace pbcopy"
bind C-v run "reattach-to-user-namespace pbpaste | tmux load-buffer - && tmux paste-buffer"

The first line ensures your shell can talk to pbpaste, pbcopy and launchctl now with no worries.

The second line lets you copy the tmux paste buffer into the Mac's paste buffer by typing control-b control-c (replace control-b with your tmux prefix key).

The third line will directly paste the Mac's paste buffer by typing control-v. As a side-effect it copies the Mac's paste buffer into tmux's paste buffer.

I'd prefer if I could nuke tmux's paste buffer entirely and have it paste directly into the Mac`s paste buffer, but... oh well.

Best Answer

Related Solutions

Launchctl difference between load and start, unload and stop

TL;DR

Details

Using tmux and pbpaste, pbcopy, and launchctl

Related Question