Domain-specific DNS server on MacOS


Check out your DNS configuration using $ scutil --dns . Resolver #1 is what is handling my DNS lookups, #2 handles the .local domain. Resolver #3 is the reverse lookup for the 169.254 APIPA address space, and so on.

jason@jmbp15-ati ~> scutil --dns                                                                                                                                                                                                          18:10:04
DNS configuration

resolver #1
  search domain[0] : home
  nameserver[0] : 8.8.8.8
  flags    : Request A records
  reach    : 0x00000002 (Reachable)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

[...]
resolver #8
  domain   : ds
  nameserver[0] : 10.7.0.1
  flags    : Request A records
  reach    : 0x00000002 (Reachable)

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : home
  nameserver[0] : 8.8.8.8
  if_index : 4 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

Resolver #8 is what I have added to resolve a custom TLD “ds”.

To add an additional resolver to a Mac, create a directory at /etc/resolver.

sudo mkdir /etc/resolver

For each domain that you want to hit a specific nameserver, create a file with the name of your desired domain and a nameserver line (or lines) in the file. For my internal domain I used the following command:

echo '10.7.0.1' > /etc/resolver/ds

Now, when I run scutil --dns again I see my newly created resolver:

resolver #8
  domain   : ds
  nameserver[0] : 10.7.0.1
  flags    : Request A records
  reach    : 0x00000002 (Reachable)

Note; 10.7.0.1 needs to be a DNS resolver.

A quick lookup confirms that my configuration is doing what I want it to do. Another thing I discovered when looking into this is that dig and nslookup on OSX don’t use the OS resolver configuration.

$ dscacheutil -q host -a name sanfran.ds
name: sanfran.ds
ip_address: 10.7.0.100

And that’s it. If I want to configure forward or reverse zones to resolving using a specific nameserver on OSX it’s that simple.