Skip navigation
This discussion is archived

Snow leopard broke my dns

79333 Views 149 Replies Latest reply: Apr 9, 2010 4:44 PM by jice0 RSS
  • MuddyBulldog Level 2 Level 2 (215 points)
    Currently Being Moderated
    Nov 23, 2009 9:53 AM (in response to dropadrop)
    There seems to be some confusion as to how the resolver handles DNS entries (on top of the fact the Apple has acknowledged that on some occasions it will read them in reverse order).

    1) When querying DNS the secondary (and tertiary) entries are for use when the primary does not respond at all, meaning is down or otherwise unreachable. It is NOT a cascade where if the first one doesn't have the answer to your question then the client will try the second and third. If the primary is reachable but can't resolve the response is the equivalent of "no such host" and that's the end of the conversation, the second and third DNS servers are not used.

    2) The resolver does not necessarily start "at the top" every time you make a DNS query. If the primary DNS server is unreachable the resolver tries the second one. If the second one answers the resolver may essentially blacklist the first one and keep using the second one until the resolver is reset. Otherwise every query will be subject to a (normally 5 second) delay because it's retrying the unreachable primary every time. This is why a dig command may succeed to resolve, since you're query a specific name server, whereas another application may fail since it's using the DNS server that is currently preferred by it's resolver instance, which may not be the same server.

    On another note. An IT staff that uses internal DNS but also passes along external DNS server addresses so that if internal goes down clients can still get to the internet has not been educated properly. You should only ever use internal OR external, not both.

    In the Windows (Active Directory) world you use internal only, period. This is canon and is not debatable or flexible and anyone who says otherwise is undereducated.

    Outside of Windows there are still plenty of issues to be found. For example, a resolver may be configured to rotate the DNS servers for load balancing purposes (typically a non-default option). Say you have two internal DNS and two external DNS configured. Since the resolver is rotating through the DNS servers your requests for resolution of internal hosts are going to fail 50% of the time when they go to external servers that have no idea what your internal DNS is.

    I understand the "if internal DNS goes down you can still get to the internet" argument and why it seems reasonable on the surface. As a consultant I've seen it done MANY times and in every case the reason I came to know that it was done is because I was called in to fix some type of problem that inevitably tied back to DNS. Rest assured that many more problems have been solved by REMOVING those external servers than web surfing minutes have been saved by having them there.

    If you're in a home where your router is your DNS server then there is no reason to use external DNS on your client because if your internal DNS goes down it's because your router is down which means you're not going anywhere anyway.

    If you run your own internal DNS server where if DNS goes down you could still reach the internet and are tempted to configure clients to use external DNS "just in case", don't. The proper solution is to set up a second DNS server.

    The bug in Snow Leopard where it reads DNS servers in reverse order is a bug, yes. But it's not the problem. It's simply more visibly exposing the configuration issue that is the actual problem.
    MBP MB604LL/A 17" 2.66Ghz/4.0GiB/320GB; MB MB061LL/B 2.0Ghz/4.0GiB/500GB, Mac OS X (10.6.1), TV; iPod Classic 6G 80GB; iPod Touch 2G 8GB
  • William Kucharski Level 6 Level 6 (14,425 points)
    Currently Being Moderated
    Nov 23, 2009 1:37 PM (in response to MuddyBulldog)
    MuddyBulldog wrote:
    The bug in Snow Leopard where it reads DNS servers in reverse order is a bug, yes. But it's not the problem. It's simply more visibly exposing the configuration issue that is the actual problem.


    Except in the case where the secondary DNS server is on a slow link and is intended only to provide connectivity in the case where the primary is down.

    That's a correct configuration but can cause difficulties in this situation.
    Quad 2.5 GHz G5, 5 GB | 15" 2.6 GHz MBP Penryn, 4 GB | 1 TB Dual-Band TC, Mac OS X (10.6.2)
  • MuddyBulldog Level 2 Level 2 (215 points)
    Currently Being Moderated
    Nov 24, 2009 3:36 AM (in response to William Kucharski)
    William Kucharski wrote:
    MuddyBulldog wrote:
    The bug in Snow Leopard where it reads DNS servers in reverse order is a bug, yes. But it's not the problem. It's simply more visibly exposing the configuration issue that is the actual problem.


    Except in the case where the secondary DNS server is on a slow link and is intended only to provide connectivity in the case where the primary is down.

    That's a correct configuration but can cause difficulties in this situation.

    Yes, that is where this bug rears it's head though no fault of the client configuration.
    MBP MB604LL/A 17" 2.66Ghz/4.0GiB/320GB; MB MB061LL/B 2.0Ghz/4.0GiB/500GB, Mac OS X (10.6.1), TV; iPod Classic 6G 80GB; iPod Touch 2G 8GB
  • gpy Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 24, 2009 7:56 AM (in response to MuddyBulldog)
    I know that, but even when connected thru tethering, same story...more reliable than at home. It seems like an incompatibility of SL with some DNS settings residing on the carrier side (I mean, the DSL provider)... which is not happening with Leopard (it's incredible, but at home now we use the spare macbook with 10.5.8 to surf the web and act as a proxy, sharing the internet connection...)
    mbp17 mid09 2.8Ghz 4Gb 500Gb@7200rpm glossy, Mac OS X (10.6.2)
  • MuddyBulldog Level 2 Level 2 (215 points)
    Currently Being Moderated
    Nov 24, 2009 9:47 AM (in response to gpy)
    gpy wrote:
    I know that, but even when connected thru tethering, same story...more reliable than at home. It seems like an incompatibility of SL with some DNS settings residing on the carrier side (I mean, the DSL provider)... which is not happening with Leopard (it's incredible, but at home now we use the spare macbook with 10.5.8 to surf the web and act as a proxy, sharing the internet connection...)

    Again due to a difference in the resolution methodology. When you tether the default gateway and DNS servers get forced to that of the tethering provider disregarding any problematic DNS configurations that may be present on the client.
    MBP MB604LL/A 17" 2.66Ghz/4.0GiB/320GB; MB MB061LL/B 2.0Ghz/4.0GiB/500GB, Mac OS X (10.6.2), TV; iPod Classic 6G 80GB; iPod Touch 2G 8GB
  • justinbb Calculating status...
    Currently Being Moderated
    Dec 9, 2009 12:54 PM (in response to MuddyBulldog)
    This posting is so helpful that it should be used as the basis for a section in the Mac OS X Server system administration manuals and/or a tech note. It is the sort of clear and detailed information that system administrators need to make sure things work properly. It is particularly important because design decisions in the implementation of DNS resolution in Snow Leopard were made with certain assumptions of correct practice in mind, and these practices are neither universally known nor universally adhered to.

    (The documentation group will no doubt take care of changing the tone from conversational to documentation-style. )
    Mac Pro (Early 2009), Mac OS X (10.6.2)
  • gpy Level 1 Level 1 (0 points)
    Currently Being Moderated
    Dec 11, 2009 9:46 AM (in response to MuddyBulldog)
    So the solution would be which one?

    a) waiting for a possible resolution on 10.6.3 (even if I doubt it will never arrive, as the problem is happening only with certains combinations of SL + DSL providers)
    b) call the provider and have them update their DNS Servers? (and which one and/or which versions they should get?)
    c) rollback to Leopard?

    I got the third option at the moment... do you know if there is an open bug for this issue?

    funny enough the fact that the exact configuration under leopard (and when I say exact I mean absolutely identical) allow us to surf, move, browse sites very fast... in SL dns can't resolve major cdn sites like gstatic or m0.google.com to m(n) of google maps... leaving us with huge white block on un-rendered sites... under leopard, same browser, version, machine... works great!

    Message was edited by: gpy
    mbp17 mid09 2.8Ghz 4Gb 500Gb@7200rpm glossy, Mac OS X (10.5.8)
  • bld2 Calculating status...
    Currently Being Moderated
    Dec 16, 2009 5:51 PM (in response to MuddyBulldog)
    A Cisco Anyconnect VPN split DNS configuration is a legitimate use case completely busted by this Snow Leopard bug. A typical setup looks something like this:

    resolver #1
    domain : vpn.domain
    nameserver[0] : <vpn-resolver-ip>
    nameserver[1] : <standard-isp-resolver-ip>
    order : 1

    The intent is that non-VPN hosts will be cascaded from the vpn-resolver back to the standard-isp-resolver, and VPN hosts will be resolved by the vpn-resolver. However, due to this bug, the former works still but the latter intermittently fails because it sometimes sends VPN hostname lookups to the standard-isp-resolver first.

    The only workarounds are to keep bouncing the mDNSResponder or move away from a split-DNS policy.

    I really hope Apple fixes this in 10.6.3 which I hear rumblings is imminent. This is a terrible bug.
    Mac OS X (10.6.2)
  • William Kucharski Level 6 Level 6 (14,425 points)
    Currently Being Moderated
    Dec 17, 2009 1:17 AM (in response to bld2)
    I understand, but it seems a little strange to not have your internal DNS be a cacheing server since it would be asked to resolve every address first in even a traditional BIND environment…
    Quad 2.5 GHz G5, 5 GB | 15" 2.6 GHz MBP Penryn, 4 GB | 1 TB Dual-Band TC, Mac OS X (10.6.2)
  • bld2 Level 1 Level 1 (15 points)
    Currently Being Moderated
    Dec 17, 2009 9:41 AM (in response to William Kucharski)
    How many VPN users have the wherewithal to set up their own DNS server? This is a very common deployment with VPN solutions -- I've seen it with OpenVPN as well.
  • donallo270770 Calculating status...
    Currently Being Moderated
    Dec 17, 2009 4:31 PM (in response to gpy)
    It's taken me ages to get here as Safari couldn't find my server AGAIN. Since upgrading my system to 10.6.x I have not been able to successfully access the internet without constant timeouts, safari not finding servers, I cannot send attachments in my mail because it times out every few minutes. Aperture cannot upload to servers anymore. The other machine on the network runs leopard which I have to use until I rollback to Leopard on this machine.

    Apple as usual are keeping quiet and pretending the problem with dns dropouts on SL do not exist. So I think I'll give it until january and see if there's a fix in the next update as I have tried everything suggested by worldwide forums documenting the problem. *January rollback here we come along with the return of my sanity!!!!!*
    imac, Mac OS X (10.6.2), snow leopard is crap
  • omnimac Calculating status...
    Currently Being Moderated
    Dec 20, 2009 4:29 PM (in response to dropadrop)
    This is a strange solution, but I have found a way for my clients to re-connect without having to restart. In all, create two identical locations. When your network connection goes down, toggle the location to the other one. Toggling to the other location (in this case the network uses DHCP) renews the network.
    Mac Pro, Mac OS X (10.6.2)
  • swimboy Calculating status...
    Currently Being Moderated
    Jan 1, 2010 10:46 AM (in response to sduensin)
    You're not the only one. I have a simliar setup, with only a single DNS server being supplied by DHCP to my clients behind my firewall. That DNS server provides internal addresses for all of the resources behind the firewall, and forwards all other requests to my ISP's DNS.

    My mac running SL knows only about the single DNS server behind the firewall; but every once in awhile, it somehow gets a DNS response that could only come from some DNS server outside the firewall. It seems to cache this response, because immediately after, I can still submit a query for another device that is behind the firewall but definitely hasn't been cached, and I get the correct response.

    It doesn't seem to be the mDNSresolver switching to another DNS as described by others, because there are no other DNS servers to switch to, and other queries performed immediately after the problem get resolved correctly.

    I'm certain that there is only one DNS server configured. I've double-checked the DHCP server configuration, I've tried manually overriding the DNS configuration, I've checked the contents of /etc/resolv.conf and the output of scutil --dns, and there is only the internal DNS server.

    It's like mDNSresponder really is pulling some other DNS server out of thin air to use every once in awhile.
    Mac OS X (10.6.2)
  • Daniel Stranathan Level 1 Level 1 (60 points)
    Currently Being Moderated
    Jan 5, 2010 9:48 AM (in response to JohnDCCIU)
    There is a bug in 10.6.2 in my opinion. I have started a discussion over at the Ars site. Check it out.

    http://episteme.arstechnica.com/eve/forums/a/tpc/f/8300945231/m/845000282041
    Xserve, Mac OS X (10.6)
  • NASCHO Calculating status...
    Currently Being Moderated
    Jan 15, 2010 3:53 PM (in response to swimboy)
    I am having the exact same problem.

    Mac Mini: DNS server(BIND), SL 10.6.2
    IP: 10.0.0.10/24 (STATIC)

    MBP: Client, SL 10.6.2
    IP: 10.0.0.96/24 (DHCP RESERVED)

    10.0.0.10 is the only DNS server registered with the MBP VIA DHCP, and there are no other entries in the network control panel advanced/DNS section -- Sometimes, it resolves internal IP's properly, sometimes not. External IP's are always resolved properly.

    dig always works since it uses /etc/resolv.conf (which has only one nameserver entry pointing at , but MDNS Responder and the apps that use it don't reliably resolve local names.

    This broke after upgrading my MBP to Snow Leopard, also note that I have an ubuntu 9.10 laptop and it consistently resolves all DNS just fine..

    hopefully this will be fixed in 10.6.3...

    NAS
    iMac 8,1, Mac OS X (10.6.2)
1 ... 6 7 8 9 10 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.