On my Mac, I can "nsloookup hostname" but I can't ping it?

Question

Mac OS Ventura 13.3.1

I've read other questions regarding "Can ping IP but not hostname" and the answers are all related to the DNS. In my case I believe my DNS is set up correctly. Also, I'm using my router's wired connection instead of WiFi.

NOTE: The problem only occurs on my company's internal (to the VPN) servers. I can ping external servers, e.g., www.google.com.

I've flushed the DNS cache

% sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

I'm going through my company's VPN, and in my network interface settings, I have the DNS servers set up the my IT department gave me. I can do this

% nslookup dc1-main.company.com
Server:     10.227.10.4
Address:    10.227.10.4#53
Name:   dc1-main.company.com
Address: 10.227.25.17

I can then do

% ping 10.227.25.17
PING 10.227.25.17 (10.227.25.17): 56 data bytes
64 bytes from 10.227.25.17: icmp_seq=0 ttl=125 time=41.206 ms
64 bytes from 10.227.25.17: icmp_seq=1 ttl=125 time=41.698 ms
64 bytes from 10.227.25.17: icmp_seq=2 ttl=125 time=41.714 ms
^C
--- 10.227.25.17 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 41.206/41.539/41.714/0.236 ms

But this fails

% ping dc1-main.company.com
ping: cannot resolve dc1-main.company.com: Unknown host

Here's the traceroute. For the IP, the hop from #4 to #64 was just * * *

% traceroute 10.227.25.17 
traceroute to 10.227.25.17 (10.227.25.17), 64 hops max, 52 byte packets
 1  192.168.40.14 (192.168.40.14)  25.321 ms  24.286 ms  24.585 ms
 2  172.16.25.1 (172.16.25.1)  24.737 ms  24.578 ms  25.052 ms
 3  192.168.150.20 (192.168.150.20)  44.081 ms  44.232 ms  43.149 ms
 4  * * *
 5  * * *
...
64  * * *
% traceroute dc1-main.company.com
traceroute: unknown host dc1-main.company.com

Why is this? TIA!

I see Why is 'ping' unable to resolve a name when 'nslookup' works fine? but it relates to Windows and the recommendations don't makes sense for the Mac.

UPDATE Someone requested this info

% nslookup -q=AAAA dc1-main.company.com
Server:     10.227.10.4
Address:    10.227.10.4#53
*** Can't find dc1-main.company.com: No answer

score 11 · Accepted Answer · answered Sep 01 '23 at 20:32

After wasting hours on this problem, I finally found the fix. My DHCP server hands out an internal DNS first, then an external as a secondary. That external points to Google's 8.8.8.8.

e.g.:

10.0.1.232
10.0.2.232
8.8.8.8

I removed 8.8.8.8 from my DHCP assigned DNS server list et voila, I am now able to ping, ssh, traceroute, etc. internal resources. It appears that Apple decided to block non-DNSSEC systems when one that uses DNSSEC is in the list. DNSSEC, or Domain Name System Security Extensions, is a set of extensions to DNS that provides authentication of DNS data. So our internal DNS server (which doesn't really need DNSSEC) was not being queried because 8.8.8.8 naturally does use it. No idea why Apple would consider this a security concern.

This works:

10.0.1.232
10.0.2.232

Then my internal DNS server just sends unknowns to 8.8.8.8 instead of the client systems.

score 0 · Answer 2 · answered Nov 19 '23 at 20:07

If you're having this problem for resolving hostnames for your internal domain, you can create a directory /etc/resolver. Then create a file named for each domain where you wish to specify a specific nameserver. For example:

sudo mkdir /etc/resolver
sudo chmod 755 /etc/resolver
sudo vi /etc/resolver/mydomain.example.com
sudo chmod 644 /etc/resolver/mydomain.example.com

Where the content of mydomain.example.com is:

nameserver 10.0.0.123

And where 10.0.0.123 is the IP address of the nameserver to be used for domain mydomain.example.com.

If you have multiple internal domains, create multiple such files.

This technique appears to supercede the list of domain servers returned via DHCP.

score 0 · Answer 3 · answered Feb 10 '25 at 21:26

0

For me the reason pinging did not work and nslookup did was I have set a static DNS query proxmox.local on my mikrotik router. I have read that Apple reserves *.local for mDNS. I can set it to anything else but *.local and it started working.

answered Feb 10 '25 at 21:26

Peterrrr

1

Gianrico Fichera · Answer 4 · 2024-11-04T11:47:04.867

MacOSx is linux based so you will find a file named /etc/resolv.conf with a list of DNS servers that the system should use. But MacOSx doesn't behave exactly like a Linux distribution and so in the resolv.conf file you find the note:

" This file is not consulted for DNS hostname resolution, address resolution, or the DNS query routing mechanism used by most processes on this system. "

As a consequence, if you do not receive the address of a DNS server from a DHCP server or if you have not configured it in the case of a static configuration, the system could behave in an apparently irrational way.

I mean that the google Chrome will resolve names but Safari don't. Using the CLI the 'ping' command will not resolve names while the 'nslookup' command will. The mail app will not work too.

In my case a Sequoia MacBook does not receive a DNS configuration despite having a DNS configured in resolv.conf. Here's what happens:

gianrico@Gianrico-MacBook-Air ~ % scutil --dns
DNS configuration

resolver #1 search domain[0] : itesys.local nameserver[0] : 8.8.8.8 <--- he sees it but doesn't use it if_index : 11 (en0) flags : Request A records reach : 0x00000000 (Not Reachable) <--- note this (it is reachable) order : 5000

Surely all Apple applications will be unable to resolve names, but some "indipendent" application will use this DNS (like nslookup) or other methods.

Finally, if ping doesn't resolve names or if browsers behave irrationally, check that you have a working DNS configured on your network card.

On my Mac, I can "nsloookup hostname" but I can't ping it?

4 Answers4