MP 6,1 Using the Two Ethernet Ports (resolved)

[nollimac]

But, your assertion is that the browser is involved in DNS routing and the interface that delivered the page with the link is input to the browser's DNS routing decision. That's the main thing that I'll be testing.

Not in my case, the browser is NOT involve in DNS...it followers the order from the custom internal DNS server...no serious network administrator wants that, whether a corporate network environment or a home lab or a home office environment, as in my case, because that's the only way to control what happens in the network. I make sure to disable that in the browser permanently.

Of course, using global DNS servers are much simpler.

Until, one discovers their quest to see where and where one is going and use that info to manipulate one for financial gain...that's why browsers got into that, claiming to protecting users, but even that is for their financial gain...everyone is learning from Google. It you notice, Firefox have preferred partners to show you when you search.

 

[svenmany]

Thanks for taking the time to discuss this. I'm setting up now for my tests. I am on the cusp of understanding.

Not in my case, the browser is NOT involve in DNS...it followers the order from the custom internal

Then I misunderstood you; I thought that was what you were saying. I thought you were saying that a page opened in Firefox (Firefox is the only software component that remembers where that page is from) will have links on it resolved using the DNS server on the same interface as where the page was from. If Firefox is not involved in DNS, then where the page is from has no bearing on how links on it get resolved. I see now that I misunderstood you.

My only confusion is about DNS routing, not where the DNS servers are running. I'm also just assuming you have everything up and running and all your DNS servers are available. If you type a URL into Firefox's address bar, it needs to be resolved by some DNS server. You make the point, especially from the screenshots you provided, that you define different DNS servers per network service. I'm trying to understand why you (or anyone else on this thread) think that's significant - why that's any different than defining all your DNS servers on the first network service. (I do understand the tactical advantage of defining a DNS server on an service if you know the DNS server might not be available - you can just deactivate that service and avoid trying to query an unavailable server.)

Until, one discovers their quest to see where and where one is going and use that info to manipulate one for financial gain...that's why browsers got into that, claiming to protecting users, but even that is for their financial gain...everyone is learning from Google. It you notice, Firefox have preferred partners to show you when you search.

Good points. In my case, by "global" I didn't mean a DNS server that is running on the internet. I meant a "global declaration" of a DNS server, that declared outside of any particular interface. I don't know if that's possible on the Mac. You can see the comment in /etc/resolv.conf that says that file is not consulted for DNS resolution. That's the place I would traditionally find a global DNS declaration (well, 20 years ago). I did run the command that was mentioned in that file "scutil --dns". I had two interfaces up and temporarily configured one with Google's DNS server. Here's the output, where I've omitted all but one of the mDNS (bonjour) stuff:

DNS configuration

resolver #1
nameserver[0] : 10.27.80.1
if_index : 17 (en11)
flags : Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
domain : local
options : mdns
timeout : 5
flags : Request A records
reach : 0x00000000 (Not Reachable)
order : 300000

-- snip --


DNS configuration (for scoped queries)

resolver #1
nameserver[0] : 10.27.80.1
if_index : 17 (en11)
flags : Scoped, Request A records
reach : 0x00020002 (Reachable,Directly Reachable Address)

resolver #2
nameserver[0] : 8.8.8.8
if_index : 15 (en0)
flags : Scoped, Request A records
reach : 0x00000002 (Reachable)

The first entry is what is used for unscoped queries. That is just the DNS server defined on the first network service. In this terminology I can rephrase my misunderstanding of what you were saying: I was under the impression that you were saying that Firefox does a "scoped query" when following a link on a page, using the interface that delivered that page.

Back in 2018, at https://superuser.com/questions/734063/what-is-a-scoped-dns-query, someone responded:

An application like a web browser most probably queries the meta-resolver, which routes the queries to different resolvers according to rules described in resolver(5) manpage. Applications like dig or host make the queries directly to nameservers, not using the Mac OS X DNS query routing mechanism

So, what is it about the "Mac OS X DNS query routing mechanism" do you understand that motivated you to put different DNS servers on the two different network service entries? In a nutshell, that is my confusion.

My investigation this weekend will be to learn about the MacOS query routing mechanism and Firefox's use of it.

 

[nollimac]

If Firefox is not involved in DNS, then where the page is from has no bearing on how links on it get resolved.

That's why I said in #16 - "if I make a DNS request, while in that network, that's when it get resolved. So, If I am on pfSense webGUI and click on a feed link, that will opens another tab on Firefox but use Ethernet 2 DNS to resolve the link's IP."

The pfSense has IDS/IPS feed, such as emerging threats, and if I click on the feed's URL, (on pfSense's Dashboard) it opens on another tab in Firefox BUT it is still the DNS server 10.8.27.1 that resolves the URL NOT Firefox.

So, what is it about the "Mac OS X DNS query routing mechanism" do you understand that motivated you to put different DNS servers on the two different network service entries?

If you examine the diagram #8, (network 1) pfSense is my edge router and Mikrotik is my LAN boss to which an Apple Extreme is attached...the Mikrotik does my DNS not MacOS. Most sophisticated router/firewall, such as Mikrotik, pfSense, knows all the global name servers and how to reach them in milliseconds. MacOS has no business in my DNS...it follows orders only.

 

[svenmany]

"if I make a DNS request, while in that network, that's when it get resolved. So, If I am on pfSense webGUI and click on a feed link, that will opens another tab on Firefox but use Ethernet 2 DNS to resolve the link's IP."

I don't think it works that way. Firefox receives a link and opens it. Nothing tells Firefox which DNS to use. It handles the link in the same way it would if you just typed the URL into the address bar. I still don't know what you mean by "while in that network". Firefox is not in any network.

MacOS has no business in my DNS...it follows orders only.

MacOS does the DNS routing. It decides which DNS server to use. Suppose you type a URL into Firefox, using a domain name found only on Ethernet 2's network. How do you think the DNS server is chosen? I don't want to put words into your mouth, but I think you believe the DNS server you configured for Ethernet 2 is chosen. I believe the DNS server on Ethernet 1 is chosen and fails to resolve the name. I guess after that failure, the next DNS server is queried. SERVFAIL DNS responses can be quick and you might not notice them, especially if the Mikrotik DNS server is doing negative caching.

I got sidetracked today - had to go shopping. I still have my tests to run to firm up my understanding. I did run into a friend of mine at my usual coffee shop. He's a senior enterprise application/network architect. We did compare notes on this topic (as my wife and daughter impatiently waited). He feels strongly that you should only have a single DNS server specified and have it resolve names across all interfaces. So, your Mikrotik DNS server should not only be configured as a caching DNS server (delegating to public DNS servers), but also be configured to resolve the names for the Ethernet 2 network. For high volume situations (which you don't have) it's critical to avoid negative DNS results as part of a normal flow.

 

[nollimac]

MacOS does the DNS routing. It decides which DNS server to use.

No...not in my network...I, as the network administrator, tell MacOS what, which DNS to use ON THIS network and go as far as ensuring that firewall rules are in place so the MacOS has no choice. You can see that in post #14 in the second pic, DNS 10.8.27.1

He feels strongly that you should only have a single DNS server specified and have it resolve names across all interfaces. So, your Mikrotik DNS server should not only be configured as a caching DNS server (delegating to public DNS servers), but also be configured to resolve the names for the Ethernet 2 network.

YES, that's my case...as I had stated before that here, we are speaking of two separate networks 10.0.8.0/24 and 10.8.27.0/24 each with their own single DNS server...with caching.

 

[svenmany]

No...not in my network...I, as the network administrator, tell MacOS what, which DNS to use ON THIS network and go as far as ensuring that firewall rules are in place so the MacOS has no choice. You can see that in post #14 in the second pic, DNS 10.8.27.1

YES, that's my case...as I had stated before that here, we are speaking of two separate networks 10.0.8.0/24 and 10.8.27.0/24 each with their own single DNS server...with caching.

I'm still struggling. Maybe you're saying that the Mikrotik DNS server on Ethernet 1's network forwards to 10.8.27.1 for certain zones? That's unrelated to specifying 10.8.27.1 as the DNS server on the interface. From my testing, I've confirmed that specifying a DNS server on other than the first interface has no effect. And your doing that is the only thing that's ever confused me in this thread.

I set up a Linux server on my network. I installed Bind DNS server and Apache web server. I configured Bind to be authoritative for a dummy domain - it was not a registered domain - call it xyz.com for this discussion. I also configured it to not recurse - it could only answer questions about servers in its own domain. I set up a simple webpage in Apache. I set www.xyz.com to resolve to the Linux server. A result of all this was that from my Mac I could access the dummy web page at http://www.xyz.com/bozo.html (assuming that Linux server's name server was used).

I configure one of my two network interfaces to use this new DNS server - interface 2. The other interface, interface 1, was using my usual DNS forwarder (my router).

When interface 1 was first in the network service order, I could reach the internet. I could not reach bozo.html. When interface 2 was first in the network service order, I could reach bozo.html, but not the internet.

When I said earlier: "I guess after that failure, the next DNS server is queried." I said "I guess" because I was suspicious. Both my friend and I didn't think that the failure of the first DNS would trigger the query of the second DNS. In my setup, it didn't.

My original post #13, where I asserted that only the DNS server specified on the first service entry is used, has proven to be true for my test.

I'm willing to drop this if you want. I appreciate the time you've spent. I think I've overstayed my welcome.

 

[nollimac]

I'm still struggling.

To see that there are two separate networks, each with its own DNS with caching.

 

[svenmany]

To see that there are two separate networks, each with its own DNS with caching.

No, that's pretty clear.

In System Preferences, remove the DNS entry you made on the second network service in your picture - the 10.8.27.1 from Ethernet 2. I think your setup will just continue to work. I'd be interested to hear if it doesn't.

 

[nollimac]

In System Preferences, remove the DNS entry you made on the second network service in your picture - the 10.8.27.1 from Ethernet 2. I think your setup will just continue to work. I'd be interested to hear if it doesn't.

If it's clear, why are you still hesitant to accept that's by design. Yes, the browser already knows there is another DNS if one removed the other DNS (10.8.27.1) but that's not what the network administrator wants...they want that any DNS request made by clients or IP on 10.8.27.0/24 must be and is answered by 10.8.27.1...that's what this thread wanted to accomplish and have.

 

[svenmany]

If it's clear, why are you still hesitant to accept that's by design. Yes, the browser already knows there is another DNS if one removed the other DNS (10.8.27.1) but that's not what the network administrator wants...they want that any DNS request made by clients or IP on 10.8.27.0/24 must be and is answered by 10.8.27.1...that's what this thread wanted to accomplish and have.

No, I'm good now. I was confused and am no longer confused.

- I was confused because my understanding of DNS routing in MacOS (how the DNS server is selected for a particular query) was only tentative. I had thought you believed specifying 10.8.27.1 in System Preferences on Ethernet 2 had some effect.

- I'm no longer confused because my understanding of DNS routing in MacOS is firmed up. Now I am pretty certain that specifying 10.8.27.1 in System Preferences on Ethernet 2 has no effect (unless there's some system software on the Mac which overrides its DNS routing). Something else in your design is allowing your Mac to resolve names of the 10.8.27.0/24 network. I know how I would have done it; I would have added NS records on the Mikrotik DNS server so that 10.8.27.1 is set as the DNS server for names on the 10.8.27.0/24 network.

Even if I'm wrong, I'm good. I've taken too much of your time on this thread. I'm happy everything is working for you. Thanks again.

 

[nollimac]

I had thought you believed specifying 10.8.27.1 in System Preferences on Ethernet 2 had some effect.

You made an assumption here...all I did was manually place the IP and subnet mask...as soon as pfSense VM boots and running, MacOS got the rest of info from the router/firewall...by design.

Now I am pretty certain that specifying 10.8.27.1 in System Preferences on Ethernet 2 has no effect (unless there's some system software on the Mac which overrides its DNS routing).

Wrong...there is no software on Mac...the router/firewall governs what DNS is used...just like plugging the Mac to ISP modem will grab the ISP's DNS unless otherwise specified. Telling me how you would do it is a moot point. I wanted to place a Mac Pro as a bridge access to two separate networks with separate DNS for each network...I have successfully done it. Note that DNS is grayed out and you cannot change it...see pic. At least, I am not the only one who have done this (see link in #11).

 

[svenmany]

Thanks for explaining about the DHCP. Your original screenshot showed "manual", so that didn't occur to me. But it makes sense.

Thanks again for your time.