DNS forwarders issue with VPN client

Question

DNS forwarders issue with VPN client

Hi,

So we have a VPN client (Cato Networks) where we have setup conditional forwarders for our internal AD domains so it send DNS resolution requests to our on-prem AD DNS servers

It works but it is broken, sometimes it works sometimes it doesn't.

We tried many things but it seems that is a know issue in macOS compared to Windows.

Sometimes macOS doesn't use our AD servers to resolve internal DNS systems but uses my home ISP DNS servers

See below, a ping fails, for some reason a nslookup works

thomas.cmd@LT-macbook ~ % ping azuredevops.eu.acme.local

ping: cannot resolve azuredevops.eu.acme.local: Unknown host

thomas.cmd@LT-macbook ~ % nslookup azuredevops.eu.acme.local

Server: 10.254.254.1

Address: 10.254.254.1#53

azuredevops.eu.acme.local canonical name = prdapp04.azure.acme.com.

Name: prdtfsapp04.azure.acme.com

Address: 10.56.18.100

My /etc/resolv.conf seems to have been altered by our VPN with the below entry, which logically looks OK

thomas.cmd@LT-macbook ~ % cat /etc/resolv.conf

#

# macOS Notice

#

# This file is not consulted for DNS hostname resolution, address

# resolution, or the DNS query routing mechanism used by most

# processes on this system.

#

# To view the DNS configuration used by this system, use:

# scutil --dns

#

# SEE ALSO

# dns-sd(1), scutil(8)

#

# This file is automatically generated.

#

search eu.acme.local acme.local azure.acme.com

nameserver 10.254.254.1

Even though the Mac OS has a /etc/resolv.conf file it does not seem to be used; rather, the OS has its own way of DNS resolution and scutil --dns lets you see what is configured.

But using scutil I noticed that for scoped queries my ISP DNS servers have priority 1 (194.168.4.100), which doesnt look good, but that is not something I have setup and I have no clue how to change that.

We want all VPN DNS queries and Internet queries to go through 10.254.254.1

thomas.cmd@LT-macbook ~ % scutil --dns

DNS configuration

resolver #1

search domain[0] : eu.acme.local

search domain[1] : acme.local

search domain[2] : azure.acme.com

nameserver[0] : 10.254.254.1

if_index : 23 (utun4)

flags : Supplemental, Request A records

reach : 0x00000003 (Reachable,Transient Connection)

order : 100400

DNS configuration (for scoped queries)

resolver #1

search domain[0] : eu.acme.local

search domain[1] : acme.local

search domain[2] : azure.acme.com

nameserver[0] : 194.168.4.100

nameserver[1] : 194.168.8.100

if_index : 15 (en0)

flags : Scoped, Request A records

reach : 0x00000002 (Reachable)

resolver #2

search domain[0] : eu.acme.local

search domain[1] : acme.local

search domain[2] : azure.acme.com

nameserver[0] : 10.254.254.1

if_index : 23 (utun4)

flags : Scoped, Request A records

reach : 0x00000003 (Reachable,Transient Connection)

thomas.cmd@LT-macbook ~ %

[Edited by Moderator]

Posted on May 7, 2025 8:33 AM

Reply

Answer 1

etresoft

Level 9

57,812 points

May 7, 2025 9:03 AM in response to whippingCream

Any ".local" names are owned by mDNS and Apple manages them exclusively. This is a nonstarter. You must change those to something other than ".local".

Reply

Answer 2

May 7, 2025 10:12 AM in response to etresoft

While .local is preferred for mDNS it's not exclusive. Any conventional DNS existing overrides mdns for .local

or at least that's how it's supposed to be

I even tried resolver files https://blog.scottlowe.org/2006/01/04/mac-os-x-and-local-domains/

Reply