Safari DNS – Safari Ignores DNS Server on macOS Big Sur

big surdnsmacosNetworksafari

I am using an Eero Pro 6 device for my home wifi connection.

The "Eero Secure" product offers to let you block certain domains. I have entered "reddit.com" in the block list, and it seems to work:

$ nslookup reddit.com
Server:     192.168.4.1
Address:    192.168.4.1#53

Non-authoritative answer:
Name:   reddit.com
Address: 192.168.4.1

192.168.4.1 is my routers IP address, and ends up redirecting to https://blocked.eero.com. All is good here, and this is what I want.

The trouble is that Safari (on my Mac, iPad, and iPhone) seems to find a way around this, and is able to load reddit.com without issue. No amount of dscacheutil -flushcache, Develop -> Empty Caches, rebooting, resetting safari, etc – nothing seems to work.

Does anyone have any ideas? Here is my scutil -dns:

DNS configuration

resolver #1
  nameserver[0] : 192.168.4.1
  if_index : 9 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : 192.168.4.1
  if_index : 9 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

edit: forgot to point out that I am using macOS Big Sur, and iOS/iPadOS 14.

Best Answer

Safari is not doing anything untoward here. My DNS based block for reddit.com worked fine - but not www.reddit.com, old.reddit.com (even though the Eero block includes subdomains), and so on. From the command line:

$ nslookup www.reddit.com
Server:     192.168.4.1
Address:    192.168.4.1#53

Non-authoritative answer:
Name:   www.reddit.com
Address: 192.168.4.1

Because of that, I expected Safari to resolve www.reddit.com to 192.168.4.1. However, www.reddit.com (and others like old.reddit.com) are actually CNAMEs:

$ dig -t cname www.reddit.com
... snipped output ...
;; ANSWER SECTION:
www.reddit.com.     300 IN  CNAME   reddit.map.fastly.net.

So, it looks like Safari looks up www.reddit.com, sees that it is a CNAME for reddit.map.fastly.net, and then resolves reddit.map.fastly.net and is able to load the page - while displaying www.reddit.com in the URL bar.

I am not saying Safari is doing anything wrong here - this seems like totally reasonable behavior - it was just unexpected to me.

I have now added a DNS block for reddit.map.fastly.net, and everything works as expected.

Related Solutions

MacOS – Mac OS X Mountain Lion – DNS resolving uses wrong order on VPN via dial-up connection

I had the same problem on my Mac, and after fixing it I have figured out that it was caused by FortiClient (VPN client). Even when FortiClient was disconnected - it's DNS still appeared in the scutil.

The solution for me was:

scutil
> list ".*DNS"

This will show you a list of all DNS configs, that will look something like:

subKey [0] = State:/Network/Global/DNS <br>
subKey [1] = State:/Network/MulticastDNS<br>
subKey [2] = State:/Network/OpenVPN/DNS<br>
subKey [3] = State:/Network/OpenVPN/OldDNS<br>
subKey [4] = State:/Network/PrivateDNS<br>
subKey [5] = State:/Network/Service/forticlientsslvpn/DNS <br>

To check each of them run: (until you find the problematic one)

> get key_name
> d.show

…and to fix it run:

> get key_name
> d.remove ServerAddresses
> set key_name

This is how it looked on my machine:

> get State:/Network/Service/forticlientsslvpn/DNS 
> d.show
<dictionary> {
  ServerAddresses : <array> {
    0 : 192.168.30.6
    1 : 192.168.30.15
  }
  SupplementalMatchDomains : <array> {
    0 :
  }
  SupplementalMatchOrders : <array> {
    0 : 100000
  }
}
> d.remove ServerAddresses
> d.show
<dictionary> {
  SupplementalMatchDomains : <array> {
    0 :
  }
  SupplementalMatchOrders : <array> {
    0 : 100000
  }
}
> set State:/Network/Service/forticlientsslvpn/DNS
> exit

MacOS – Fixing Internet Sharing from WiFi to Ethernet in Mountain Lion

This is indeed quite broken in Mountain Lion. Once you've fixed up the default route as you describe in the question, you're still left with the problem that Mountain Lion is giving its bridge interface address to clients as both the router address (which is correct) and as the DNS server address (which isn't).

Verify that this is the problem by entering an HTTP server IP address into the address bar on a client web browser when connected through your Mac after you fix default routes, and it should load up fine.

My solution to this problem is to fix up the route as you describe -- which could be automated, of course -- and to keep BIND (aka /usr/sbin/named) running in the background on my Mac in a forward-only configuration, forwarding all queries to Google's public DNS servers. This doesn't fix the underlying brokenness in Mountain Lion, but it makes things start working for the clients.

A couple useful resources:

http://www.macshadows.com/kb/index.php?title=How_To:_Enable_BIND_-_Mac_OS_X%27s_Built-in_DNS_Server (how to fire up BIND on OS X)

http://gleamynode.net/articles/2267/ (how to configure BIND for forward-only operation -- of course you will not want to make BIND only listen on 127.0.0.1)

It would be far preferable for Apple to make this feature of their OS work as advertised, but in the meantime I've found this is a viable workaround.

Best Answer

Related Solutions

MacOS – Mac OS X Mountain Lion – DNS resolving uses wrong order on VPN via dial-up connection

MacOS – Fixing Internet Sharing from WiFi to Ethernet in Mountain Lion

Related Question