Articles February 4, 2010 at 3:17 pm

Augmenting DNS Records Using dnsmasq

DNS can always bite you in the rear. in some case you run your own DNS server and you can correct the issues. In other cases, you're beholden to the powers that be to determine your fate. All is not lost, however, it is possible to run your own DNS proxy to override specific answers. It's not an ideal solution, and can certainly be accused of being a "hack" but it can be invaluable in some situations.

Read on for how to do this…

There are a number of Active Directory scenarios or edge cases inwhich your Mac OS X computer doesn't have access to certain DNSrecords, and this hinders your Mac's ability to join or reliably useActive Directory. Some scenarios are more, er, legitimate than others,and some scenarios are pretty ridiculous. And yes, it is better to fixAD than it is to work around poorly-designed AD implementations,augmenting DNS might be relatively quick workaround to make your Macswork with AD. Until the next AD issue crops up.

Possible trouble scenarios:
Possible scenarios in which the Mac OS X Active Directory connector won't reliably join or use AD include:

  • YourActive Directory site was designed with Branch Office Topology (seebelow), and certain DNS records are not purposely available to Mac OS X( _ldap._tcp.<domain>, _kerberos._tcp.<domain>,_kpasswd._tcp.<domain> and _kpasswd._udp.<domain>)
  • There is a network device that performs Network Address Translation (NAT) between you and the Domain Controller
  • Active Directory Sites isn't set up correctly

Some false solutions:

  • Youcan't just add your preferred domain controller to /etc/hosts, because/etc/hosts doesn't provide DNS service (SRV) records, which arerequired by the Active Directory connector. Bummer.
  • You can'tjust select the checkbox in the Active Directory connector for "Preferthis domain server", because that only prefers a Domain Controller thatis in the same Site you are a member of, but you first have to become amember of that Site.
  • You can't just enable DNS with ServerAdmin and create a zone for your AD domain and then create only the DNSrecords you need, because this doesn't provide the DNS records for allthe other hosts in the AD domain. Well, I guess you *could* try tohand-synchronize your Mac OS X Server-provided DNS service with theAD-provided DNS service, but this seems like a recipe for disaster.

Some better solutions:

  • Fix your Active Directory infrastructure;
  • use the DNS service from AD;
  • don't use NAT.

Another solution:
dnsmasqis an open source DNS service that can override the answers to certainDNS queries, and forward the rest of the DNS queries on to another DNSservice. Point your Mac's DNS requests at dnsmasq, and configurednsmasq to provide only the DNS SRV records that you want it to, sothat your Active Directory connector is happy. Use dnsmasq to hand outDNS records the way you want them. The beautiful thing about dnsmasq isthat you can override certain queries, but allow your regular DNSserver to handle the rest of the queries. Here's the man page fordnsmasq:

A warning: These tools are great, but please don't let this get in the way of fixing the core of a problem scenario.

The pieces involved:

  1. Thednsmasq daemon needs to start as root, because dnsmasq listens on theprivileged port 53, but then it runs as a non-root user. Port 53 is thestandard port for DNS service, and you can't run any other DNS service(like the DNS service offered by Mac OS X Server). You can run this onMac OS X or Mac OS X Server (and many other platforms).
  2. Your Mac needs to make DNS requests to the IP address of the computer running dnsmasq.
  3. Notethat now in 10.6, if you're using DHCP, if you modify the DNSserver(s), this *overrides* the DNS server(s) assigned by DHCP (whereaspreviously, the value you entered in the DNS Servers field was usedfirst, but the DHCP-assigned DNS server(s) was also used). In moredetail: if you open the Network pane of System Preferences, clickAdvanced, and then click DNS, any DNS server you are assigned via DHCPwil appear in the DNS Servers field. If you enter any IP address intothe DNS field, this replaces the DHCP-supplied value.
  4. /etc/dnsmasq.conf:The dnsmasq configuration file. It doesn't have to exist, but you cancopy and edit the dsnmasq.conf.example from the dnsmasq distributionfiles to /etc/dnsmasq.conf
  5. /etc/hosts: dnsmasq will use/etc/hosts for IP address-to-host queries, but not the other wayaround. Note that you cannot use /etc/hosts to provide SRV records.
  6. /etc/resolv.conf:Unless you use the "servers=" line in the dnsmasq configuration file,dnsmasq will attempt to use the servers listed in /etc/resolv.conf forDNS requests you haven't told it to respond to. If you're not familiarwith /etc/resolv.conf on Mac OS X, Mac OS X automatically updates thisfile to include the IP address(es) of the DNS servers you want your Macto query, as well as the "search domains" to slap on to the end ofhostname to IP address resolution requests. More about search domains:if you enter www in your browser, and have in your searchdomains, your browser will open You'll also see that ifyou enter the mistyped URL in your browser, your Mac willissue a DNS query for

The flow:
It is pretty simple.
You send a DNS query to dnsmasq (by configuring your Mac to use a computer running dnsmasq, which could be itself).
If you configured dnsmasq to give a specific answer, it will give that answer.
Ifyou didn't give dnsmasq any information about the request, dnsmasq willforward that request to the DNS service that you tell it to use.

An an example:
Ihave a Mac OS X computer, and I want to use any of the three DomainControllers in the Chicago Branch Office, chicago-dc[1-3],which have IP addresses of,, and Idon't want to use the other Domain Controllers, like the ones below.

Beforeusing dnsmasq, I might get a huge number of replies, including from DCs in Gothenburg, Gunma, andGent, but I can edit my dnsmasq.conf to return only certain results.

When I issue a query for the DNS SRV record, I'd like the answer to return those three DCs above.
clientx:~ localadmin$ host -t SRV has SRV record 0 100 389 has SRV record 0 100 389 has SRV record 0 100 389

client:~ localadmin$ host -t SRV has SRV record 0 100 88 has SRV record 0 100 88 has SRV record 0 100 88

client:~ localadmin$ host -t SRV has SRV record 0 100 464 has SRV record 0 100 464 has SRV record 0 100 464

client:~ localadmin$ host -t SRV has SRV record 0 100 464 has SRV record 0 100 464 has SRV record 0 100 464

I'll have to edit the dnsmasq configuration file to specify SRV records.

The sample configuration file notes that you can add a SRV record in the form:
<name> is what will be requested
<target> is the host name part of the answer you want dnsmasq to return
<port> should be 389 for ldap, 88 for kerberos, and 464 for kpasswd (and 3268 for gc if you use that).
<priority> and <weight> can be anything, I'm going to use 0 and 100, default values for these SRV records in AD.

I'll enter 12 additional SRV records; I have three DCs, and each DC has four SRV records
(ldap, kerberos, kpasswd over tcp, and kpassdwd over udp).

I'll add the following lines to /etc/dnsmasq.conf:,,389,0,100,,389,0,100,,389,0,100,,88,0,100,,88,0,100,,88,0,100,,464,0,100,,464,0,100,,464,0,100,,464,0,100,,464,0,100,,464,0,100

Ineed to stop and start the dnsmasq daemon in order for it to re-readthe configuration file and use these new SRV records (a SIGHUP signalto dnsmasq only re-reads /etc/hosts, but not the configuration file).Because I set up a launchd item for dnsmasq, I use launchctl to unloadand load the launchd item, rather than kill the daemon directly.
clientx:~ localadmin$ sudo launchctl unload /Library/LaunchDaemons/
clientx:~ localadmin$ sudo launchctl load /Library/LaunchDaemons/

Elements to install:

  • /usr/local/sbin/dnsquery
  • /etc/dnsmasq.conf
  • /Library/LaunchDaemons/

If you want to just get going:
Download the dnsmasq package installer from me at, which installs:

  • dnsmasq in /usr/local/sbin/dnsmasq
  • dnsmasq man page in /usr/local/share/man/man8/dnsmasq.8
  • A sample dnsmasq.conf in /private/etc/dnsmasq.conf
  • A launchd item for dnsmasq in /Library/LaunchDaemons/
  • The dnsmasq source in /usr/local/shared/src

Skip the next step, and continue with configuring dnsmasq.

If you want to compile and install it yourself:

  1. Install the Mac OS X Developer tools from the installation disc that comes with your Mac.
  2. Download dnsmasq
    1. Visit
    2. Download the latest version (I wrote this with version 2.52)
  3. Make and install dnsmasq from the dnsmasq folder
    1. cd; cd Downloads
    2. gunzip dnsmasq-2.52.tar.gz
    3. tar -xvf dnsmasq-2.5.2.tar
    4. cd dnsmasq-2.52
    5. make
    6. sudo make install
  4. Installthe launchd item from contrib/ folder if it is available in the 2.52release of dnsmasq), according to the directions in thelaunchd-README.txt file
    1. cd contrib/MacOSX-launchd
    2. If you don't already have a /Library/LaunchDaemons folder, create one:
      1. sudo mkdir /Library/LaunchDaemons
      2. sudo chown root:admin /Library/LaunchDaemons
      3. sudo chmod 775 /Library/LaunchDaemons
    3. sudo cp /Library/LaunchDaemons/
    4. sudo chown root:admin /Library/LaunchDaemons/
    5. sudo chmod 644 /Library/LaunchDaemons/

Configure dnsmasq

  1. Ifyou don't already have /etc/dnsmasq.conf, copy dnsmasq.conf.examplefrom the source files to a new file named /etc/dnsmasq.conf
    1. sudo cp dnsmasq.conf.example /etc/dnsmasq.conf
  2. Edit /etc/dnsmasq.conf
    1. If your AD DNS servers are and, you'd add the line:
      •  server=,
    2. Youcan send logging information to its own logfile with the –log-facilityoption in the command line, or with the following line in/etc/dnsmasq.conf:
      • log-facility=/var/log/dnsmasq.log
    3. Create the SRV records, each on its own line, as I listed above

Start dnsmasq

  1. sudo launchctl load /Library/LaunchDaemons/
  2. Look in /var/log/system.log – you should see an entry from that your dnsmaq job started.

Configure Mac OS X to use your dnsmasq service and Test

  1. Ifyou're running dnsmasq on … yourself, then use the Network systempreference to set DNS to followed by at least one other DNSserver (unless you use the directive "server=" in dnsmasq.conf)
  2. If you're running dnsmasq on another computer, use Network system preference to set DNS to the IP address of the dnsmasq server.
  3. Test dnsmasq resolution of addresses
    1. host -t SRV
    2. host -t SRV
    3. host -t SRV
    4. host -t SRV
  4. Bind your Macs to AD, using the AD DCs you want to use.

Reconfiguring/updating dnsmasq information

  1. If you edit /etc/hosts directly; dnsmasq will immediately use your changes
  2. If you edit /etc/dnsmasq.conf, you'll need to stop and start dnsmasq (for security)
    1. Stop dnsmasq:
      1. sudo launchctl unload /Library/LaunchDaemons/
    2. Restart dnsmasq:
      1. sudo launchctl load /Library/LaunchDaemons/
    3. If you want to permanently stop the launchd job, so it doesn't start even after a reboot, unload it with the -w flag:
      1. sudo launchctl unload -w /Library/LaunchDaemons/

More About AD Branch Office Topology
Planning Active Directory for Branch Office
"Inthe branch office scenario, it is important that clients that cannotfind a domain controller in their own site find a domain controller intheir hub site, but never a domain controller in another branch or hub.In many deployments, clients from one branch cannot connect to machinesin another branch, because the network is not fully routed (for exampleone-way dial-up lines are used). Even if connectivity is possible,however, it is still undesirable to initiate network connectionsbetween branches. Such network traffic would always go through the hubsite; therefore it is better to restrict the traffic to branch-to-hubonly."

"To avoid the situation where clients in one branchcontact a domain controller in another branch, the Net Logon service onall branch office domain controllers must be configured to publish onlysite specific locator records, but not generic domain controllerlocator records. The result is that only the hub domain controllerspublish the generic locator records in addition to their site-specificrecords. Clients that cannot find a domain controller in their own sitewill now only find generic domain controller locator records for hubdomain controllers."


Arek Dreyer has been an Apple Certified Trainer since 2002. Originally an expert in Sun Systems, Dreyer shifted his professional focus to Mac OS X shortly after it came out. President of Dreyer Network Consultants Inc., Arek has been delivering courses and providing training around the world, both in the classroom and at events like the Apple Channel Camp and the Macworld Conference and Expo. Dreyer also provides integration and troubleshooting services for his own customers and for Apple.

More Posts


Leave a reply

You must be logged in to post a comment.