On my Mac, I can "nsloookup hostname" but I can't ping it?

Question

Mac OS Ventura 13.3.1

I've read other questions regarding "Can ping IP but not hostname" and the answers are all related to the DNS. In my case I believe my DNS is set up correctly. Also, I'm using my router's wired connection instead of WiFi.

NOTE: The problem only occurs on my company's internal (to the VPN) servers. I can ping external servers, e.g., www.google.com.

I've flushed the DNS cache

% sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

I'm going through my company's VPN, and in my network interface settings, I have the DNS servers set up the my IT department gave me. I can do this

% nslookup dc1-main.company.com
Server:     10.227.10.4
Address:    10.227.10.4#53

Name:   dc1-main.company.com
Address: 10.227.25.17

I can then do

% ping 10.227.25.17
PING 10.227.25.17 (10.227.25.17): 56 data bytes
64 bytes from 10.227.25.17: icmp_seq=0 ttl=125 time=41.206 ms
64 bytes from 10.227.25.17: icmp_seq=1 ttl=125 time=41.698 ms
64 bytes from 10.227.25.17: icmp_seq=2 ttl=125 time=41.714 ms
^C
--- 10.227.25.17 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 41.206/41.539/41.714/0.236 ms

But this fails

% ping dc1-main.company.com
ping: cannot resolve dc1-main.company.com: Unknown host

Here's the traceroute. For the IP, the hop from #4 to #64 was just * * *

% traceroute 10.227.25.17 
traceroute to 10.227.25.17 (10.227.25.17), 64 hops max, 52 byte packets
 1  192.168.40.14 (192.168.40.14)  25.321 ms  24.286 ms  24.585 ms
 2  172.16.25.1 (172.16.25.1)  24.737 ms  24.578 ms  25.052 ms
 3  192.168.150.20 (192.168.150.20)  44.081 ms  44.232 ms  43.149 ms
 4  * * *
 5  * * *
...
64  * * *


% traceroute dc1-main.company.com
traceroute: unknown host dc1-main.company.com

Why is this? TIA!

I see Why is 'ping' unable to resolve a name when 'nslookup' works fine? but it relates to Windows and the recommendations don't makes sense for the Mac.

UPDATE Someone requested this info

% nslookup -q=AAAA dc1-main.company.com
Server:     10.227.10.4
Address:    10.227.10.4#53

*** Can't find dc1-main.company.com: No answer

The gist of the linked question is still the same on macOS or Linux: `nslookup` does not resolve names like `ping` (or anything else, really) does. — Daniel B, May 11 '23 at 20:11
Welcome to Stack Exchange! Can you post the output of traceroute 10.227.25.17 and traceroute dc1-main.company.com — Richie086, May 11 '23 at 23:01
@DanielB, yes I understand. The answers offered in the linked question aren't pertinent to me so I posted a separate one. — Chris F, May 12 '23 at 00:10
@Richie086 I'll update the post post with the `traceroutes` shortly. — Chris F, May 12 '23 at 00:11

score 0 · Answer 1 · answered Sep 01 '23 at 20:32

After wasting hours on this problem, I finally found the fix. My DHCP server hands out an internal DNS first, then an external as a secondary. That external points to Google's 8.8.8.8.

e.g.:

10.0.1.232
10.0.2.232
8.8.8.8

I removed 8.8.8.8 from my DHCP assigned DNS server list et voila, I am now able to ping, ssh, traceroute, etc. internal resources. It appears that Apple decided to block non-DNSSEC systems when one that uses DNSSEC is in the list. DNSSEC, or Domain Name System Security Extensions, is a set of extensions to DNS that provides authentication of DNS data. So our internal DNS server (which doesn't really need DNSSEC) was not being queried because 8.8.8.8 naturally does use it. No idea why Apple would consider this a security concern.

This works:

10.0.1.232
10.0.2.232

Then my internal DNS server just sends unknowns to 8.8.8.8 instead of the client systems.

On my Mac, I can "nsloookup hostname" but I can't ping it?

1 Answers1