Jump to content
  • 0

Dynamic DNS on Mac OS X registers wrong IP from VPN

Cowboy Denny


We are observing a strange case when our VPN client activates on macOS. It configures utun interface through DynamicStore API with fixed non-routable local IP

$ ifconfig utun3
utun3: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1376
        inet --> netmask 0xffffffff 

Problem is that this IP is getting registered with DNS server for this host name together with another, real local IP. So DNS query returns two addresses - one is good and another one is bad. This obviously creates a lot of problems.

We did traffic capturing with tcpdump and it shows that nsupdate tool is indeed registering both IPs. This seems to be part of OpenDirectory/Active Directory integration.

Is there way to prevent this from happening? VPNs with local only non-routable IPs are very common and I don't understand logic why such IP would be picked for Dynamic DNS update.

Link to comment
Share on other sites

3 answers to this question

Recommended Posts

  • 0

For those who run into this issue - Apple standard command line tool


and option -restrictDDNS allow to control interfaces used for DDNS.


From the research I've done, it sounds like OSX has the native capability to do Dynamic DNS (DDNS) updates according to RFC 2136, however I'm confused as to how to actually get it to do so.

On a Mac, I verified that if I set my Windows DNS server to allow non-secure updates, I could use nsupdate to manually register a new DNS record:

# nsupdate
> update add newhost.hosangit.com 86400 A
> send

So, it seems like if that works, then OSX itself ought to be able to do the same thing.  Let me break it down a little bit more

Get an nsupdate shell going

nsupdate -g

Set the DNS Server you are talking to


Add the Record

update add newhost.hosangit.com 86400 A

Send it


NOTE: The default behavior for macOS and Windows is to send updates for all connected interfaces. This behavior is not always the best method, especially cases in which the client is connect to different network, say a local network, VPN network, etc..

A better behavior could be a method to check the DHCP search domain against the AD DNS domain and only update the interfaces which match (wired and wireless for instance).

Another good option would be to get the interface service order and only submit highest connected interface to mimic the dsconfigad -restrictDDNS command.

This feature would be most helpful in environments where the computername is set and controlled programmatically then locked from changing through the sharing prefpane with a config profile.

Hope that helps...

Edited by wildweaselmi
Link to comment
Share on other sites

  • 0

I gave that a shot and running into issues

USFNTMNBSJEMD6R:~ cowboy$ nsupdate -g
> server
> update add usfntmnbsjemd6r.nao.global.gearcrushers.com 86400 A
> send
tkey query failed: GSSAPI error: Major =  Miscellaneous failure (see text), Minor = Server (DNS/det1oapdn103.gearcrushers.corp@NAO.GLOBAL.GEARCRUSHERS.COM) unknown while looking up 'DNS/det1oapdn103.gearcrushers.corp@NAO.GLOBAL.GEARCRUSHERS.COM' (cached result, timeout in 1200 sec).

Any idea?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...