I gave that a shot and running into issues
USFNTMNBSJEMD6R:~ cowboy$ nsupdate -g
> server 10.40.88.162
> update add usfntmnbsjemd6r.nao.global.gearcrushers.com 86400 A 10.34.224.125
tkey query failed: GSSAPI error: Major = Miscellaneous failure (see text), Minor = Server (DNS/det1oapdn103.gearcrushers.corp@NAO.GLOBAL.GEARCRUSHERS.COM) unknown while looking up 'DNS/det1oapdn103.gearcrushers.corp@NAO.GLOBAL.GEARCRUSHERS.COM' (cached result, timeout in 1200 sec).
If you have admin access you can set debug on to get more info on what's going on
Enabling logging for the Mac Directory Service
In addition to enabling logging for the agent, you may find it necessary to enable logging for the Open Directory Service.
To create a log file for the Open Directory Service:
1. Log in as or switch to the root or admin user.
2. Run the following command:
sudo odutil set log debug
3. After running this command, you can find the resulting log files at: /var/log/opendirectoryd.log*
sudo log stream --predicate '(messageType == debug) and (subsystem == "com.apple.opendirectoryd")'
sudo log stream --debug --predicate 'subsystem == "com.apple.opendirectoryd"'
Just ideas to try
For those who run into this issue - Apple standard command line tool
and option -restrictDDNS allow to control interfaces used for DDNS.
From the research I've done, it sounds like OSX has the native capability to do Dynamic DNS (DDNS) updates according to RFC 2136, however I'm confused as to how to actually get it to do so.
On a Mac, I verified that if I set my Windows DNS server to allow non-secure updates, I could use nsupdate to manually register a new DNS record:
> update add newhost.hosangit.com 86400 A 10.11.12.13
So, it seems like if that works, then OSX itself ought to be able to do the same thing. Let me break it down a little bit more
Get an nsupdate shell going
Set the DNS Server you are talking to
Add the Record
update add newhost.hosangit.com 86400 A 10.11.12.13
NOTE: The default behavior for macOS and Windows is to send updates for all connected interfaces. This behavior is not always the best method, especially cases in which the client is connect to different network, say a local network, VPN network, etc..
A better behavior could be a method to check the DHCP search domain against the AD DNS domain and only update the interfaces which match (wired and wireless for instance).
Another good option would be to get the interface service order and only submit highest connected interface to mimic the dsconfigad -restrictDDNS command.
This feature would be most helpful in environments where the computername is set and controlled programmatically then locked from changing through the sharing prefpane with a config profile.
Hope that helps...
We are observing a strange case when our VPN client activates on macOS. It configures utun interface through DynamicStore API with fixed non-routable local IP 10.34.130.125.
$ ifconfig utun3
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1376
inet 10.34.130.125 --> 10.34.130.125 netmask 0xffffffff
Problem is that this IP is getting registered with DNS server for this host name together with another, real local IP. So DNS query returns two addresses - one is good and another one is bad. This obviously creates a lot of problems.
We did traffic capturing with tcpdump and it shows that nsupdate tool is indeed registering both IPs. This seems to be part of OpenDirectory/Active Directory integration.
Is there way to prevent this from happening? VPNs with local only non-routable IPs are very common and I don't understand logic why such IP would be picked for Dynamic DNS update.