MACOS Tips and Tricks

Here is a page that seeks to document what has been learned over a period of some years working and playing with Apple's MacOS. It's been something of a love hate relationship with this operating system. The Mac is now in the general manager's possession after I abandoned it. It lay idle for quite some time unloved in a corner. It's duties now mostly involve designing crotchet patterns.

Killing mDNSResponder functionality

The first tip involves making the Mac obey PiHole. MacOS has the uncanny ability of evading PiHole's DNS blacklists and in so doing avoiding all the internal server addresses leading to the failure of NextCloud for this client. After days of digging and researching it turns out the Mac has this Apple thing called mDNSResponder. "The mDNS Responder Daemon (mDNSResponder) serves both as a DNS Stub Resolver, as a resolver for information published using multicast DNS (mDNS), and as a publisher of mDNS information."

It turns out that this evil concoction of C code, which Apple themselves attemtped to remove some time back but failed, was responsible for the Houdini like activity.

To cut a long story short - the Mac discovered the Apple TV box had unfettered access to the outside world. It decided that the AppleTV had better DNS access and began using it, thereby causing mayhem here at "The Laurels".

The task then became disabling certain mDNSResponder functionality to ensure the Mac's fencing  in. This involved making changes the firewall rules to inhibit multicast DNS as well as mDNSResponder settings on the Mac itself. At the time of writing the AppleTV remains powered off - disrupting general viewing - a significant outage in itself.

1) How to turn off System Integrity Protection on your Mac
) macos - How to disable mDNS correctly?
3) Re-enable SIP - reverse of step 1)

But that's only part of the solution. It turns out that mDNS was transiting LAN segments/VLANs since the internal network can talk to the home network unfettered, but not the other way. So the router/firewall had rules inserted equivalent to these
( ).

Testing your PiHole from Apple's MacOS

Apple has a special program that query the MacOS APIs for DNS information. Unlike the standard linux programs that achieve lookups, this program talks to mDNSResponder and friends in the same order as Safari and other MacOS programs.

mcmypc:~ root# dns-sd -t 1 -G v4v6

The command options of -t cause the command to timeout. Essentially the command waits forever for results from all over the network (which makes it look like it has hung up). -G select the IP type. i.e. IPv4, IPv6 or both (v4, v6 or v4v6). IPv6 is disabled everywhere it can be here at "The Laurels".

Another form of the command is:
dns-sd -q 255 255