macOS DNS Resolve Issue in Internal Network with Bind9 as DNS Service

bindinternal-dnsmacmac-osx

I'm using Bind9 as a DNS service to resolve some domain names internally. The topology is simple, with one router for all internal computers, and all computers using an internal DNS to resolve both internal and external domain names.

Let's say we have a domain name "domain.com", which has a public A record handled by a service provider like GoDaddy and is assigned to a public IP address, while my internal DNS is set (the same domain name) to resolve it as a private IP address internally.

The interesting thing is that on macOS (Ventura), if I use ping or a browser like Safari, that domain name will always be resolved to the public IP. However, if I use dig or nslookup, the resolver and result are correct with the private IP. Flushing DNS (using "dscacheutil -flushcache" and "sudo killall -HUP mDNSResponder", also clearing Bind9 cache) does not resolve this issue.

All these machines have IP addresses and DNS server IP allocated by a DHCP server, and that DNS is the only source for resolving all domain names.

All other systems like Linux or Windows resolve the same domain name correctly to the designated private IP without any problem. Also, it looks like only the domain (or subdomain) that has been assigned a public IP will be resolved incorrectly on macOS (all non-assigned domain or subdomain names are correct internally). So I'm guessing Bind9 is resolving (or recursively using) some forwarders?

are there any configurations to enforce resolving the internal record first? or is there something I need to fix specifically for this case?

Demo

Thank you for any help!

Best Answer

Ok, problem solved. It turned out to be the iCloud+ Private Relay is routing traffic to Apple's own DNS server. I think it will probably only affect Ping and Safari. Turn it off will resolve it. Hope this will help if folks running into this issue in future.

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.

BIND9 DNS with external view inside the internal view

Just use an acl to limit queries to your internal zone.

acl internal-networks {
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
};

zone "internal.example.com" {
    type master;
    file "internal.example.com";
    allow-query { internal-networks; };
};

You can add additional IP addresses to the internal-networks acl. It doesn't matter if they are publicly routable or not; whatever you add there can query the zone.

Best Answer

Related Solutions

BIND – Overriding DNS Entries in BIND for Internal Networks

BIND9 DNS with external view inside the internal view

Related Topic