Do /etc/resolver/ files work in Mountain Lion for DNS resolution?

macos dns

Can anyone tell me if adding a file under /etc/resolver will work for DNS resolution using a DNS server other than what is handed out via DHCP ?

My issue is that I want to use OpenDNS for a clients home DNS resolution in order to take advantage of the filtering and anti scam capabilities but the massive disadvantage is that here in Australia things such as Apple content are delivered by a CDN (Akamai) which will then server content using a US based delivery point.

What I want to do is have the DNS server address handed out via DHCP to be the local router address (DNSMasq using OpenDNS DNS servers) and then, for example, place a file called apple.com under /etc/resolver with the following line:

nameserver 203.12.160.35

The idea is that any DNS request to apple.com would be resolved by a TPG (my ISP) DNS server rather than the local routers DNSMasq daemon using OpenDNS servers.

So I have done this and the output of scutil --dns is:

DNS configuration

resolver #1
  search domain[0] : harland
  nameserver[0] : 192.168.10.1
  nameserver[1] : 192.168.10.1
  if_index : 4 (en2)
  reach    : Reachable,Directly Reachable Address

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  order    : 301000

resolver #8
  domain   : apple.com
  nameserver[0] : 8.8.8.8

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : harland
  nameserver[0] : 192.168.10.1
  nameserver[1] : 192.168.10.1
  if_index : 4 (en2)
  flags    : Scoped
  reach    : Reachable,Directly Reachable Address
macbookair:resolver

Now the output of an nslookup on apple.com is:

macbookair:resolver ilium007$ nslookup apple.com
Server:     192.168.10.1
Address:    192.168.10.1#53

Non-authoritative answer:
Name:   apple.com
Address: 17.149.160.49
Name:   apple.com
Address: 17.172.224.47

macbookair:resolver

So I am not using the TPG DNS server - I am still resolving against 192.168.10.1 which is the local router. Does the order of the resolvers matter ? ie. the entry created after I place the apple.com file in /etc/resolver is resolver #8:

resolver #8
  domain   : apple.com
  nameserver[0] : 8.8.8.8

I would really like a way to make this work - any help would be appreciated.


Solution 1:

This question seems a bit old, but I'm going to answer it anyways as I had a similar problem:

Yes, this works.

Your first problem is that you obviously have the wrong IP (8.8.8.8 instead of 203.12.160.35) in /etc/resolver/apple.com. Verify that the contents of this file is really:

nameserver 203.12.160.35

Then scutil --dns should have an entry like this:

resolver #8
  domain   : apple.com
  nameserver[0] : 203.12.160.35

The second problem is that you tried to verify it using nslookup which does not use the DNS resolution mechanisms of OS X. If you look at the man page of nslookup you will find this:

Mac OS X NOTICE
   The nslookup command does not use the host name and address resolution or the DNS 
   query routing mechanisms used by other processes running on Mac OS X.  The results of 
   name or address queries printed by nslookup may differ from those found by other
   processes that use the Mac OS X native name and address resolution mechanisms. The 
   results of DNS queries may also differ from queries that use the Mac OS X DNS routing 
   library.

To check your DNS config you could do

dns-sd -G v4 images.apple.com

and verify if it yields the same IP as 

nslookup images.apple.com 203.12.160.35

Solution 2:

Using resolver files is actually not the recommended way of doing that.
Instead you should create DNS resolver with scutil.

To see all DNS queries on interface en0, open a Terminal and run:

sudo tcpdump -n -i en0 port 53

Open another Terminal window and run:

sudo dscacheutil -flushcache
sudo killall -HUP mDNSResponder
ping apple.stackexchange.com -c1

The first two lines flush your DNS cache, so the system has to send out a request for sure. Why ping? ping uses the normal system APIs to resolve DNS names; unlike host, dig, and nslookup that do all DNS resolution on their own, so that they can query arbitrary DNS servers and not just those configured in the system.

You should see in tcpdump that your standard DNS server is queried, right?

Well, let's change that:

sudo scutil
d.init
d.add ServerAddresses * 9.9.9.9
d.add SupplementalMatchDomains * stackexchange.com
set State:/Network/Service/whatever-you-want-as-long-as-unique/DNS

You can quit that interactive scutil console either with quit or by hitting CTRL+C.

Now try the DNS flush and ping again and watch what tcpdump says. It says that 9.9.9.9 is queried! Well, check out scutil --dns:

resolver #2
  domain   : stackexchange.com
  nameserver[0] : 9.9.9.9
  flags    : Supplemental, Request A records
  reach    : 0x00000002 (Reachable)
  order    : 101000

See, you got a new resolver. Also note that stackexchange.com has been added to the search domain list of your primary resolver (#1). This allows you to

# ping apple
PING apple.stackexchange.com (151.101.65.69): 56 data bytes

Sweet. Now lets get rid of it again:

sudo scutil
remove State:/Network/Service/whatever-you-want-as-long-as-unique/DNS

That's basically it. A couple of notes:

  • You can add multiple DNS servers and search domains separated by space,
    e.g. d.add ServerAddresses * 9.9.9.9 8.8.8.8

  • You can see what you've configured so far with d.show

  • whatever-you-want-as-long-as-unique means that every service must have a unique ID. Apple uses UUIDs for that but you can in fact really use anything as long as it won't conflict with existing services (and it cannot contain / as that's the separator character). To see what already exists, just use list and to see the content of an existing key use show <key>

  • Your global DNS settings, those found in /etc/resolv.conf, are in fact from scutil, checkout show State:/Network/Global/DNS. If you change that key, the content of /etc/resolv.conf will change accordingly. But you shouldn't ever do so, as this key is managed by the system and will be overwritten on various occasions (pretty much any network change, DHCP renew, etc.)

  • To see what other commands exist, use help.

  • sudo scutil is only required if you want to change keys. Reading keys is also possible as normal user.

BTW: 9.9.9.9 is Quad9. It's like 8.8.8.8 but guarantees your privacy (no IP addresses are ever logged) and tries to protect you by not resolving known malicious domains. Whereas 8.8.8.8 logs your IP address and keeps that information for for 24 to 48 hours, see here.

Related

What is the verb for criticizing someone (especially juniors) in an annoying way?
Why is the unit of measure placed before the value for currencies? Are there other measures where the unit precedes value?
"Versus" versus "vs." in writing
"The point is moot"
Should I write "that being said" (vs. "that's been said" or "Having said that")?
When do we need to put a comma after "so" at the beginning of a sentence?
AM/PM vs a.m./p.m. vs am/pm
Pronunciation of the English alphabet
Usage of the word "orthogonal" outside of mathematics
Should I use "everyone's", "everyones'" or "everyones"?
Is "receival" a valid word for the act of receiving something?
Is there an Extended Backus–Naur form (EBNF) that covers all of English?