Fix for broken search domain resolution in OSX Lion

by Brandon Seibel on July 26, 2011 · 6 Comments

Thanks to Erik for pointing this out, he has also put up a easy HOWTO for fixing this on his blog.

So it turns out all is not lost, you can still revert to the original behaviour of apples resolver! They’ve added a parameter to mDNSResponder called
-AlwaysAppendSearchDomains. Implying that this new behaviour was very intentional. I had read that Windows apparently made a similar change in one of there past updates as well so I guess this is to help fight some phishing attacks maybe? Either way, tres-annoying!

Anyway the gist of how to fix it is this:

Open up /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist and add
-AlwaysAppendSearchDomains following parameter to the list in the ProgramArguments block:

Then reload the launchd config for it, this should take care of restarting it as well:

launchctl unload -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist
launchctl load -w /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist

And…

icarus:~ bseibel$ ping util01.tor
PING util01.tor.verticalscope.com (67.223.104.5): 56 data bytes

YAY!

Tagged with:
 
Share
Facebook Twitter Delicious Digg

6 Responses to Fix for broken search domain resolution in OSX Lion

  1. Ernst Mulder says:
    August 5, 2011 at 5:03 am

    Thanks! That’s one problem fixed. I am curious what security issue could have prompted this change though.

    Now on to step two: how do I get 10.7 to lookup /etc/hosts entries before consulting the DNS?

    Reply
  2. Bill says:
    August 13, 2011 at 6:10 am

    See here.

    In short, with a search path, a DNS search for a particular site may inadvertently (or maliciously) be resolved by a reference at another site.

    Say for example you have a DNS search path of “foo.com” because you want to be able to resolve the host “bar.foo.com” by just typing “bar.” So far, so good.

    Well, what happens if someone creates a site “amazon.com.foo.com.” Yep, when you enter “amazon.com” into a browser, DNS will resolve it to “amazon.com.foo.com” if that host exists, and if that host happens to be a malicious site that mimics amazon.com… you get the idea.

    Reply
    • Brandon Seibel says:
      August 15, 2011 at 10:30 am

      Sure, but how many people add a search for a malicious users domain?

      In reality the majority of people are likely using it within organizations to help with their ridiculously long internal domain names. And if someone is updating internal zones with malicious intent, well sounds like you’ve got bigger problems.

      Reply
  3. Scott says:
    November 28, 2011 at 3:28 pm

    Thanks for the discussion and fix.

    I am also having an issue in that

    $ hostname -f

    only returns the short name and not the FQDN. Any ideas?

    Reply
  4. Mac OS X Lion loses network connection after sleep | info.michael-simons.eu says:
    January 5, 2012 at 10:53 am

    [...] fixes to things: The domain resolution described here and the 2 hourly automatic wake from sleep described [...]

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="" highlight="">