MacOS – List DNS servers in Mavericks

dnsmacos

How to check which DNS server was used to resolve particular hostname within VPN network?

I am using company-provided proprietary VPN client and want to see DNS server's IP address, but

networksetup -getdnsservers <service name>

does not list any DNS servers at all. However, I can ping any server in internal network, so DNS is apparently working.

How does DNS lookup work on OSX with/without VPN connections?

Best Answer

First, if networksetup -getdnsservers <service name> does not show anything, you don't have anything listed in System Preferences > Netowrk under "DNS Servers:".

Second, it is important to note that OS X does not handle DNS like most systems. Per https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man5/resolver.5.html Essentially this means that OS X has multiple DNS clients depending on your configuration. The result of these multiple services means that there are situations whereby using Safari to access a website (http://www.example.com) will take you to an IP address that OS X has retrieved from DNS (say 1.2.3.4) while at the same time, performing a dig

$ dig www.example.com

will return different results. (perhaps 2.3.4.5)

The reason for this lies in the way that OS X handles DNS.

If you run $ man dig you get among other things, the following:

Mac OS X NOTICE The dig command does not use the host name and address resolution or the DNS query routing mechanisms used by other processes running on Mac OS X. The results of name or address queries printed by dig may differ from those found by other processes that use the Mac OS X native name and address resolution mechanisms. The results of DNS queries may also differ from queries that use the Mac OS X DNS routing library.

Also $man nslookup will return something similar

Mac OS X NOTICE The nslookup command does not use the host name and address resolution or the DNS query routing mechanisms used by other processes running on Mac OS X. The results of name or address queries printed by nslookup may differ from those found by other processes that use the Mac OS X native name and address resolution mechanisms. The results of DNS queries may also differ from queries that use the Mac OS X DNS routing library.

All this is really a rather lengthy way of saying, the best way to see what DNS servers are being used is to look at System Preferences > Network

The "DNS Server:" entires are usually there, and "Search Domains:" will allow you to search for incomplete addresses.

If "DNS Server:" is not present, then OS X will try to use the address in "Router:" for DNS.

AND, on top of all this fun, there are utilities and other processes that may not be using the OS X DNS Routing Library, and they will be hitting the contents of /etc/resolv.conf directly.

The short short answer is this:

If you go by the contents of System Preferences > Network, you are looking at the same thing that most processes are using.
The Contents of System Preferences > Network, should populate /etc/resolv.conf, but not always.
Some other processes (like dig and nslookup) are accessing /etc/resolv.conf directly.

And, on top of all this - If you are not using the VPN clients built in to OS X, it is possible that additional routes and DNS servers are being used that networksetup -getdnsservers <service name> will not show. Your VPN client may have the ability to show you the routes and DNS servers, I know that mine does.

I know that this does not precisely answer your question, but hopefully this helps you realize that it is not always easy to find out what the "truth" is regarding DNS on a Mac. Generally you are safe assuming that the contents of System Preferences > Network, or the contents of networksetup -getdnsservers <service name> are where you are getting your DNS from. However if things seem weird, keep in mind that there are other possibilities too. Use dig to help determine if there are differences afoot.

Last, for those readers who are wondering how to get the <service name> in networksetup -getdnsservers <service name>, try using networksetup -listallnetworkservices

Bill

Related Solutions

Fast External DNS Servers and My Intranet

Stub resolvers only try a different DNS server in the list of available servers if they fail to get a response after trying one server. If they do get a response, then they don't go down the list querying other servers just to make sure the other servers agree with this response. (And if they found conflicting responses, which one should they trust?) So it's normal that when Google's DNS server claims your intranet host doesn't exist, it doesn't check any other servers to make sure.

What you would need to do if your local resolvers are garbage is provide one or more alternative servers that do the same job and use those. Basically: reimplement the slow servers except... not slow.

You will need a list of all domains that belong to your intranet, and the corresponding authoritative nameserver set that serves each one. The problem is that your IT department may not furnish you with this list and it may receive additions and changes over time, so you will need to constantly maintain it up to date. Your IT department maintains this list in the resolvers that it provides, but they may not support a third party maintaining another copy in their own resolver.

You will need a caching DNS server such as bin or unbound. I would normally recommend unbound for this, but if you want to run the software on your local machine you will find bind easier because it comes preinstalled on MacOS. If you run it on your local machine then you can configure 127.0.0.1 as your resolver.

Set up each of the intranet domains as a "forward" zone, and set the forwarders to the authoritative nameservers for that domain. For both BIND and Unbound, you can use mostly the default config, with additions of one forward zone for each intranet domain. For BIND:

zone "yourdomain" {
    type forward;
    forwarders ip.add.ress ip.add.ress;
}

For unbound:

forward-zone:
    name: "yourdomain"
    forward-addr: ip.add.ress
    forward-addr: ip.add.ress

Custom Local DNS entry ignored

I'm assuming you are using Mac OS X, since you mention scutil. nslookup doesn't use the same mechanisms as the rest of the OS:

From man nslookup:

Mac OS X NOTICE

The nslookup command does not use the host name and address resolution or the DNS query routing mechanisms used by other processes running on Mac OS X. The results of name or address queries printed by nslookup may differ from those found by other processes that use the Mac OS X native name and address resolution mechanisms. The results of DNS queries may also differ from queries that use the Mac OS X DNS routing library.

Best Answer

Related Solutions

Fast External DNS Servers and My Intranet

Custom Local DNS entry ignored

Related Question