Local wildcard DNS on macOS with dnsmasq

I wanted to get wildcard DNS running on my Mac laptop, for development purposes. I wanted http://anything.mysite.lan/ to point to my localhost IP address.

I figured out how to do this using dnsmasq, installed via Homebrew.

THIS MAY BE UNNECESSARY

Tip from Daniel Landau - anything.localhost (and foo.anything.localhost) should resolve to 127.0.0.1 already. This seems to work on macOS, so this entire TIL is likely obsolete.

dig foo.bar.localhost
; <<>> DiG 9.10.6 <<>> foo.bar.localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58764
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;foo.bar.localhost.		IN	A

;; AUTHORITY SECTION:
.			10800	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2023063000 1800 900 604800 86400

;; Query time: 241 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 30 07:15:48 PDT 2023
;; MSG SIZE  rcvd: 121

Also this broke DNS for me on other networks - see note at the bottom for details.

Original TIL continues here

Some clues:

Installing and configuring dnsmasq

I installed dnsmasq using Homebrew:

brew install dnsmasq

Then I viewed the configuration file that had been installed like this:

cat $(brew --prefix)/etc/dnsmasq.conf

Based on the discussion in the Gist comments I decided to point *.lan (which includes any level of subdomains, so you can do foo.bar.lan) to 127.0.0.1. I did that using:

echo 'address=/.lan/127.0.0.1' >> $(brew --prefix)/etc/dnsmasq.conf

Starting the service using sudo

I tried running brew services start dnsmasq without sudo and it appeared to work, but didn't. The correct command to run is:

sudo brew services start dnsmasq

Weirdly, even the brew services list command needs to be run as sudo. Here's what I get with and without sudo for that command:

brew services list
Name    Status     User File
caddy   none            
dnsmasq error  512 root ~/Library/LaunchAgents/homebrew.mxcl.dnsmasq.plist
unbound none
sudo brew services list
Name    Status  User File
caddy   none         
dnsmasq started root /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
unbound none

Testing dnsmasq

Running dig and specifically telling it to use the new 127.0.0.1 DNS server works:

dig foo.test.lan @127.0.0.1
; <<>> DiG 9.10.6 <<>> foo.test.lan @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10618
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;foo.test.lan.			IN	A

;; ANSWER SECTION:
foo.test.lan.		0	IN	A	127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 30 05:43:11 PDT 2023
;; MSG SIZE  rcvd: 57

Configuring macOS to use the new DNS server

I searched for "dns" in macOS system preferences, clicked on "DNS servers" and used the + button to add 127.0.0.1 to my list of DNS servers, leaving the previous entry in there too.

Screenshot of that panel in the macOS system preferences

Having done this, running cat /etc/resolv.conf showed me this, with a confusing warning message:

#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
nameserver 127.0.0.1
nameserver 10.0.0.1

Running scutil --dns gave me this (truncated):

scutil --dns
DNS configuration

resolver #1
  nameserver[0] : 127.0.0.1
  nameserver[1] : 10.0.0.1
  flags    : Request A records, Request AAAA records
  reach    : 0x00030002 (Reachable,Local Address,Directly Reachable Address)

resolver #2
  # ...
DNS configuration (for scoped queries)

resolver #1
  nameserver[0] : 127.0.0.1
  nameserver[1] : 10.0.0.1
  if_index : 15 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

Finally, I ran a quick HTTP server using python -m http.server 8005 and confirmed that http://foo.bar.lan:8005/ in my browser worked as expected - which it did.

This broke DNS for me on other networks

When I tried connecting to other networks later on the same day I found that DNS lookups were not working.

I eventually figured out why by running scutil --dns and noting that it was always trying to hit 10.0.0.1.

The fix was to open up the DNS servers area in Network settings again and remove ALL of the nameservers from that list. Once I did that the DNS server for the WiFi network I was connected to started working again.

Created 2023-06-30T05:51:21-07:00, updated 2023-06-30T08:53:13-07:00 · History · Edit