Issues with .local Domain Name Resolution

[kennethson]

The (fairly large) institution where I work is mostly a Windows shop, and therefore uses Active Directory. Our AD domain uses .local TLD, so many servers are addresses using our internal DNS with only .local hostnames.

Since upgrading to Yosemite, myself and others in IT who are Mac users have found that Yosemite's behavior with these domain names is odd, to say the least.

With most applications (e.g. browsers, Finder Connect to Server, ping from Terminal) using an FQDN like host.example.local will fail with a DNS timeout, however using just the hostname (host) with the domain (example.local) in the search domains works like a champ.

This is almost certainly because Yosemite is being more strict about following RFC 6762, which generally prohibits the use of the .local TLD for non-Multicast DNS (Bonjour) purposes.

So far, we are at a loss for how to mitigate this issue. While the "correct" course of action is probably to move the AD domain to something like example.private, that is a non-started for an organization supporting 30k+ users with only a small number of Macs in play.

Has anyone else run into an issue like this, and if so, have you found any solutions?

 

[blenderman17]

I'm having this exact issue, but I'm not even sure where to start with a solution. Our servers are all Windows based and our IT department is solely a Windows operation, so I'm on my own trying to figure it out. I tried various ways of reconfiguring the SMB connection, but none have worked.

 

[mrdrlove]

Hi kennethson,

thanks for the details. I did not know about the reserved word local.

Yes, we have exactly the same issue.
Also thanks for your hint with using not the FQDN.

But, I also did not found a solution. I have searched many hours with google and Co. but no success.

Thanks god we are planning a redesign of our AD-Infrastructure, so I can try to talk to the colleagues to using something different.

If I get any further information that might help, I will be back here.

Thanks.
Regards,
mrdrlove

 

[KlytusLord]

I have not been able to get any of our Yosemite machines to join our domain/active directory, and I am guessing it is because of the .local issues mentioned here.

I have not figured out how to access our local websites via Safari on Yosemite either. For example, we use the following pattern:

dev.domain.local
stable.domain.local
test.domain.local
etc.

replacing the domain with the host (dev.host.local) has not helped, so I don't know what else to try just to get this work.

 

[ern.st]

I found that it suddenly worked when I added our domain "uv.local" in Network Preferences -> Advanced -> DNS -> Search Domains.
(This can also be configured on your DHCP server.)

Then I could browse to server01.uv.local

 

[kennethson]

I found that it suddenly worked when I added our domain "uv.local" in Network Preferences -> Advanced -> DNS -> Search Domains.
(This can also be configured on your DHCP server.)

Then I could browse to server01.uv.local

Can you get there using the FQDN (i.e. server01.uv.local) or by using just the hostname (i.e. server01)?

We all have our local domain in our search domains, and using only the hostname is the only way we can access these servers.

 

[kennethson]

I have not been able to get any of our Yosemite machines to join our domain/active directory, and I am guessing it is because of the .local issues mentioned here.

I have not figured out how to access our local websites via Safari on Yosemite either. For example, we use the following pattern:

dev.domain.local
stable.domain.local
test.domain.local
etc.

replacing the domain with the host (dev.host.local) has not helped, so I don't know what else to try just to get this work.

Hopefully it will help if I use some better examples here. Say you have the following servers:

mywebserver.myprivatedomain.local
myfileserver.myprivatedomain.local
mydomaincontroller.myprivatedomain.local

If you add myprivatedomain.local to your search domains (see ern.st's post above), you should be able to access those servers by simply using:

mywebserver
myfileserver
mydomaincontroller

At least, that's the behavior we're seeing here.

 

[ern.st]

Can you get there using the FQDN (i.e. server01.uv.local) or by using just the hostname (i.e. server01)?

We all have our local domain in our search domains, and using only the hostname is the only way we can access these servers.

Yup. See my attachment. Your DNS server will of course need a record for the server you're trying to reach.

itc-mac-ernst:Desktop admin$ nslookup uvprint02.uv.local
Server:		10.8.252.101
Address:	10.8.252.101#53

Non-authoritative answer:
Name:	uvprint02.uv.local
Address: 10.20.0.128

 

[kennethson]

Yup. See my attachment. Your DNS server will of course need a record for the server you're trying to reach.

Our DNS server have the records (as we've used them with no problems until Yosemite).

I wonder what you get when you run

sudo discoveryutil mdnsactivedirectory

in the terminal. We were seeing

Not Doing Active Directory

but after running

sudo discoveryutil mdnsactivedirectory yes

and having the output change to

Doing Active Directory

we're able to use our FQDNs again!

 

[ern.st]

I wonder what you get when you run

sudo discoveryutil mdnsactivedirectory

We're getting

Doing Active Directory

But we haven't done any sort of special configuration for this nor enabled it with the "yes" command.

 

[kennethson]

We're getting

Doing Active Directory

But we haven't done any sort of special configuration for this nor enabled it with the "yes" command.

Are your machines bound to the AD domain (assuming that you are, in fact, using one)? The machines we were having issues with were not, and we did get some (questionable) reports of other groups in the institution not seeing the issues, but they almost certainly have their machines bound to the domain.

 

[h4ck]

we're having issues resolving .local domains since updating to Yosemite too.

have made no other changes, just upgraded to 10.10.1.