Calling on Mac Gurus
65 views
Skip to first unread message
Simon Wright
Jun 8, 2025, 6:23:17 PM6/8/25
to techies-f...@googlegroups.com
So I have a MacBook Pro with a weird DNS issue.
Intermittently it can't resolve server IPs, mostly around our Kamar and Print servers as these are the only two local servers that are used.
The user may be able to connect to the kamar server but not the print server or vice versa.
A ping test confirms this, can ping one server via its name, not the other. Restarts occasionally resolve this for a time.
Have done a flush of the DNS cache. The whole thigh doesnt make any sense, if one server can be resolved, why not the other and then why does it go the other way or sometimes both.
Ideally i don't want to have to set static entries in the hosts file, but it's looking that way to get this resolved.
Thoughts?
DISCLAIMER
This e-mail is intended for the addressee only and may contain information which is subject to legal privilege. This e-mail message and accompanying data may contain information that is confidential and subject to privilege. Its contents are not necessarily the official view Otago Boys’ High School or communication of the Otago Boys’ High School. If you are not the intended recipient you must not use, disclose, copy or distribute this e-mail or any information in, or attached to it. If you have received this e-mail in error, please contact the sender immediately or return the original message to Otago Boys’ High School by e-mail, and destroy any copies. Otago Boys’ High School does not accept any liability for changes made to this e-mail or attachments after sending.
This e-mail is intended for the addressee only and may contain information which is subject to legal privilege. This e-mail message and accompanying data may contain information that is confidential and subject to privilege. Its contents are not necessarily the official view Otago Boys’ High School or communication of the Otago Boys’ High School. If you are not the intended recipient you must not use, disclose, copy or distribute this e-mail or any information in, or attached to it. If you have received this e-mail in error, please contact the sender immediately or return the original message to Otago Boys’ High School by e-mail, and destroy any copies. Otago Boys’ High School does not accept any liability for changes made to this e-mail or attachments after sending.
Pete Mundy
Jun 8, 2025, 6:49:11 PM6/8/25
to techies-f...@googlegroups.com
A thought:
The reason I ask is because I've now witnessed a scenario at two schools that mimics what you're describing (intermittent network access from macOS hosts to a subset of other hosts on the same LAN, but not all), but in my scenario you can't even ping the host via IP (meaning it's not necessarily DNS, unless one of them happens to be your DNS server :).
I had put it on the backburner by solving the problems at hand in other ways (ie working around the limitation), but I'd be keen to explore it further if someone else is experiencing the same problem and willing to get involved. Both of the ones I've seen were in ER & SA-migrated schools (which makes my spidey-senses tingle...)
Pete
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAEJps9qbO6HOCK1mWwfs6NzQaD_cAu8OTh0qWRP0O0pMjgUEQg%40mail.gmail.com.
d.keen...@gc.ac.nz
Jun 8, 2025, 6:52:46 PM6/8/25
to Techies for schools
Two thoughts:
1) Privacy mode on the device, cycling the MAC addresses.
2) IPv6 entries in the DNS server; who knows which one a client will clamp onto.
So, check the DNS server entries to see what it is serving and what happens when privacy mode is turned off.
Regards,
David Keenleyside, BSc CS & IS, CTech
ITP Associate
EFF Member
ICT Technician
Glenfield College
PO Box 40176 (Kaipatiki Rd)
Glenfield, Auckland City 0629
DDI: +64 9 441 9779
Email: d.keen...@gc.ac.nz
https://www.linkedin.com/in/david-keenleyside-626871/
The Three O’s of Backup: Online, Offline, Off-site.
The Three RA’s of Cloud: Run Anywhere, Run Anytime, Run Agnostic.
“When you're working as part of a team, one of the things to expect is that you should share information freely with your colleagues and that they'll share information freely with you.” - Google
Kent
Jun 8, 2025, 6:53:59 PM6/8/25
to techies-f...@googlegroups.com
Hi Simon,
Check the DNS servers the user has in their Settings --> Network --> Details --> DNS
(Are these provided by the DHCP server or static?)
Then, in the Terminal, use the 'dig' command - and specify which dns server to use.
eg. dig @10.0.0.1 kamar.obhs.school.nz
If they have two DNS servers, then test for both and see that they resolve.
I believe that MacOS uses the first DNS in the list, but if this is failing it will fall back after timeout to the second. It will then cache the result locally.
> Have done a flush of the DNS cache.
Just double checking you are using the correct command for the version of MacOS 10.15 and newer:
>> sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
This very much sounds like the DNS server they queried has returned a nil result for the query, which has then been cached.
But give you have cleared the dns cache, and it's still failing, then it's like the dns server that has answered their query is
Cheers
Kent
Check the DNS servers the user has in their Settings --> Network --> Details --> DNS
(Are these provided by the DHCP server or static?)
Then, in the Terminal, use the 'dig' command - and specify which dns server to use.
eg. dig @10.0.0.1 kamar.obhs.school.nz
If they have two DNS servers, then test for both and see that they resolve.
I believe that MacOS uses the first DNS in the list, but if this is failing it will fall back after timeout to the second. It will then cache the result locally.
> Have done a flush of the DNS cache.
>> sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder
This very much sounds like the DNS server they queried has returned a nil result for the query, which has then been cached.
But give you have cleared the dns cache, and it's still failing, then it's like the dns server that has answered their query is
Cheers
Kent
Simon Wright
Jun 8, 2025, 7:47:00 PM6/8/25
to techies-f...@googlegroups.com
I'll have to get the laptop back off the staff member...
DNS is provided by dhcp and has the local DNS server (first entry) followed by whatever the N4L ones are.
Yes, i could still ping the IP addresses even though the DNS wouldn't resolve.
We have been through ER and SA. His laptop has been working perfectly fine up until a week or so ago. We don't have many, but no other Mac users have reported an issue.
Kent: Yes that was the flush command i used.
Should add that, this morning couldn't resolve the Kamar server but could resolve the print server. could ping both servers. did a nslookup to the kamar server and it magically resolved (without defining what server to use for lookup).
Simon Wright
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
Pete Mundy
Jun 8, 2025, 9:19:07 PM6/8/25
to techies-f...@googlegroups.com
WRT to the comment about resolvers clamping on to a specific server - anyone interested in this topic would may enjoy watching Geoff Huston's recent talk at NZNOG on the subject. It can be accessed at this link:
As always for Geoff's content - 5/5 from & highly recommended from me.
Jono Hayes
Jun 8, 2025, 10:22:10 PM6/8/25
to Techies for schools
Personal Apple Account with Private Relay enabled?
ForiGate will block this as it's a DNS proxy, but then you get strange behaviour as most web browsers do DNS caching so some content will work.
The OS tools (nslookup, dig etc.) will work as they query the server directly.
Simon Wright
Jun 8, 2025, 10:49:36 PM6/8/25
to techies-f...@googlegroups.com
That's more for browsing in Safari though right?
Web browsing is not an issue. There is no issue resolving anything (that's been noted) other than local servers.
Simon Wright
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/eeb280af-19c8-40cb-95af-cebd4314782fn%40googlegroups.com.
Pete Mundy
Jun 8, 2025, 11:12:17 PM6/8/25
to techies-f...@googlegroups.com
Simon Wright
Jun 8, 2025, 11:28:00 PM6/8/25
to techies-f...@googlegroups.com
No public DNS as they are just internal servers.
Kamar server OB-SRV-KAMAR
Print server OB-SRV-PRINT2
Their fqdn would be <server>.obhs.local
There is a public DNS for Kamar but that's just for http/s traffic (sms.obhs.school.nz). Internally this address resolves to the internal IP.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJtKfy49i5Ev09afueedctujkO2vjwhz1-CK0Prh5E1TwJCmzw%40mail.gmail.com.
Julian Davison
Jun 8, 2025, 11:58:09 PM6/8/25
to techies-f...@googlegroups.com
Isn't that the answer, then? The mac caches an NX if it hits the N4L DNS server as the records aren't public?
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAEJps9rRK%3DaPcWUiCoNJa15qX4LrOM0N8T2gNK3Su9Ug1LmxqA%40mail.gmail.com.
Pete Mundy
Jun 9, 2025, 12:02:19 AM6/9/25
to techies-f...@googlegroups.com
Cached NX-domain reply is exactly what I was thinking too Julian (and Kent also suggested earlier), BUT the name that Simon quoted ends in .local and that's a special case that is only resolved via the mDNS resolver, not the normal unicast DNS servers... (and so the plot thickens!)
Julian Davison
Jun 9, 2025, 12:08:57 AM6/9/25
to techies-f...@googlegroups.com
Ugh, I missed the .local; I'm somewhat less familiar with the lookup done for those; but...do they fallback to unicast if they have trouble with the usual mDNS?
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJtKfy7Emf3Sv6gOWU8GpSH6U%3DeyW20mPaz8_FJ5SVWxC1mohQ%40mail.gmail.com.
Pete Mundy
Jun 9, 2025, 12:36:57 AM6/9/25
to techies-f...@googlegroups.com
I believe I read in Apple's documentation once upon a time that they do not (.local lookups falling back to unicast). However the latest macOS (10.15) has a new security & privacy privilege named "Local Network" which needs to be allocated to each application that wants to access the local LAN (I discovered this when it broke Airplay for many teachers until it was enabled for Chrome, and in some cases only after some very out of date installations of Chrome were updated). Apps without this privilege cannot discover local services. Could that be related...
Simon Wright
Jun 9, 2025, 12:45:01 AM6/9/25
to techies-f...@googlegroups.com
Thanks Pete, will have a look at this tomorrow.
Simon.
--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/techies-for-schools/CAJtKfy4-qjuDJ9eRBQTNM3yHb6uSvS2rokF5BbfnQXccqBAE%2Bw%40mail.gmail.com.
Jason McCarthy
Jun 9, 2025, 5:48:53 PM6/9/25
to Techies for schools
Hi Simon,
Check the Apple ID and see if they have a paid subscription. If they have checked, the iCloud Private Relay is turned on. I had this issue with a teacher at a school and was unable to access KAMAR. Once turned off, it is working.
Cheers Jason
Reply all
Reply to author
Forward
0 new messages