DNS issue on macOS

Question

I'm encountering a weird DNS issue on macOS Catalina 10.15.4:

traceroute google.com and ping google.com both returned unknown host.

However, nslookup google.com and dig google.com returned correct results with correct DNS servers (I'm using 8.8.8.8 and 8.8.4.4).

Can someone explain to me why this can happen? It seems to me that these tools are resolving DNS in different ways.

Thank you!

Neither `traceroute` nor `ping` are tools to troubleshoot DNS issues. Only `dig` is. — Patrick Mevzek, Apr 18 '20 at 22:56

score 3 · Answer 1 · answered Apr 18 '20 at 22:33

It could be that they're asking different nameservers. What I'd recommend is doing a packet capture to figure out exactly what's going on.

First start up tcpdump (or wireshark). Then you can see the DNS lookups that are happening and who they're being sent to.

I'll give an example of doing this with tcpdump because it's probably already installed on your machine.

First, open a terminal and run sudo tcpdump -n -i any port 53.

Then open another terminal next to it and run ping google.com and watch the output of the first terminal. You should see something like this:

16:21:10.831721 IP 10.1.0.106.53914 > 75.75.76.76.53: 46435+ [1au] A? google.com. (39)
16:21:10.832013 IP 10.1.0.106.54613 > 75.75.76.76.53: 15182+ [1au] AAAA? google.com. (39)
16:21:10.856574 IP 75.75.76.76.53 > 10.1.0.106.53914: 46435 1/0/1 A 172.217.1.206 (55)
16:21:10.859887 IP 75.75.76.76.53 > 10.1.0.106.54613: 15182 1/0/1 AAAA 2607:f8b0:400f:801::200e (67)

The first two lines show that I sent two queries to 75.75.76.76 for google.com, one query for IPv4 addresses (type A) and one for IPv6 address (type AAAA). The second two lines show that I got an answer back from 75.75.76.76 for my A query (172.217.1.206) and one for my AAAA query (2607:f8b0:400f:801::200e).

So try this and see who you're sending DNS queries to, and how they're different.

If you wanted to save the packet capture to a file and analyze it later, run the same command but add a -w and a file argument:

sudo tcpdump -n -i any port 53 -w my-file.pcap

When you're done, hit ctrl+c. Then you can read the contents of the file with tcpdump -n -r my-file.pcap, or open it up in wireshark.

Thank you for the detailed response! What I have found using tcpdump is that `ping` and `traceroute` are not sending any queries (nothing printed), while `nslookup` and `dig` sent queries just as expected. Do you have any suggestions where I should investigate next? Another piece of information that might be helpful is that this issue is intermittent. Everything will work if I restart the system but it will start to fail after a while.Thanks! — Qi Xi, Apr 19 '20 at 10:32
Hmmm. It could be that google.com is already cached by your operating system. You could try cleaning the cache (can't remember how to do this on MacOS) and trying it again. And is this behavior the same with other domains or just google.com? — kimbo, Apr 19 '20 at 15:04
I have tried clearing the cache but it didn't help.. and all domains are having the same behaviors :( — Qi Xi, Apr 21 '20 at 04:18
You might wanna try something in the answer to this question - https://apple.stackexchange.com/questions/26616/dns-not-resolving-on-mac-os-x — kimbo, Apr 25 '20 at 15:56

DNS issue on macOS

1 Answers1