CODEWITHSUNDEEP
dnspingtraceroutenslookupdig
Qi Xi
Qi Xi

Reputation: 63

DNS issue on macOS

I'm encountering a weird DNS issue on macOS Catalina 10.15.4:

traceroute google.com and ping google.com both returned unknown host.

However, nslookup google.com and dig google.com returned correct results with correct DNS servers (I'm using 8.8.8.8 and 8.8.4.4).

Can someone explain to me why this can happen? It seems to me that these tools are resolving DNS in different ways.

Thank you!

Upvotes: 2

Views: 6293

Answers (1)

kimbo
kimbo

Reputation: 2693

It could be that they're asking different nameservers. What I'd recommend is doing a packet capture to figure out exactly what's going on.

First start up tcpdump (or wireshark). Then you can see the DNS lookups that are happening and who they're being sent to.

I'll give an example of doing this with tcpdump because it's probably already installed on your machine.

First, open a terminal and run sudo tcpdump -n -i any port 53.

Then open another terminal next to it and run ping google.com and watch the output of the first terminal. You should see something like this:

16:21:10.831721 IP 10.1.0.106.53914 > 75.75.76.76.53: 46435+ [1au] A? google.com. (39)
16:21:10.832013 IP 10.1.0.106.54613 > 75.75.76.76.53: 15182+ [1au] AAAA? google.com. (39)
16:21:10.856574 IP 75.75.76.76.53 > 10.1.0.106.53914: 46435 1/0/1 A 172.217.1.206 (55)
16:21:10.859887 IP 75.75.76.76.53 > 10.1.0.106.54613: 15182 1/0/1 AAAA 2607:f8b0:400f:801::200e (67)

The first two lines show that I sent two queries to 75.75.76.76 for google.com, one query for IPv4 addresses (type A) and one for IPv6 address (type AAAA). The second two lines show that I got an answer back from 75.75.76.76 for my A query (172.217.1.206) and one for my AAAA query (2607:f8b0:400f:801::200e).

So try this and see who you're sending DNS queries to, and how they're different.

If you wanted to save the packet capture to a file and analyze it later, run the same command but add a -w and a file argument:

sudo tcpdump -n -i any port 53 -w my-file.pcap

When you're done, hit ctrl+c. Then you can read the contents of the file with tcpdump -n -r my-file.pcap, or open it up in wireshark.

Upvotes: 3

Related Questions