Local wildcard DNS on macOS with dnsmasq#

I wanted to get wildcard DNS running on my Mac laptop, for development purposes. I wanted http://anything.mysite.lan/ to point to my localhost IP address.

I figured out how to do this using dnsmasq, installed via Homebrew.

THIS MAY BE UNNECESSARY#

Tip from Daniel Landau - anything.localhost (and foo.anything.localhost) should resolve to 127.0.0.1 already. This seems to work on macOS, so this entire TIL is likely obsolete.

1
dig foo.bar.localhost

1
; <<>> DiG 9.10.6 <<>> foo.bar.localhost
2
;; global options: +cmd
3
;; Got answer:
4
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58764
5
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
6

7
;; OPT PSEUDOSECTION:
8
; EDNS: version: 0, flags:; udp: 512
9
;; QUESTION SECTION:
10
;foo.bar.localhost.    IN  A
11

12
;; AUTHORITY SECTION:
13
.      10800  IN  SOA  a.root-servers.net. nstld.verisign-grs.com. 2023063000 1800 900 604800 86400
14

15
;; Query time: 241 msec
16
;; SERVER: 127.0.0.1#53(127.0.0.1)
17
;; WHEN: Fri Jun 30 07:15:48 PDT 2023
18
;; MSG SIZE  rcvd: 121

Also this broke DNS for me on other networks - see note at the bottom for details.

Original TIL continues here#

Some clues:

This conversation with ChatGPT inspired me to look at dnsmasq.
This Gist about dnsmasq from 2013 has a ton of relevant comments.

Installing and configuring dnsmasq#

I installed dnsmasq using Homebrew:

1
brew install dnsmasq

Then I viewed the configuration file that had been installed like this:

1
cat $(brew --prefix)/etc/dnsmasq.conf

Based on the discussion in the Gist comments I decided to point *.lan (which includes any level of subdomains, so you can do foo.bar.lan) to 127.0.0.1. I did that using:

1
echo 'address=/.lan/127.0.0.1' >> $(brew --prefix)/etc/dnsmasq.conf

Starting the service using sudo#

I tried running brew services start dnsmasq without sudo and it appeared to work, but didn’t. The correct command to run is:

1
sudo brew services start dnsmasq

Weirdly, even the brew services list command needs to be run as sudo. Here’s what I get with and without sudo for that command:

1
brew services list

1
Name    Status     User File
2
caddy   none
3
dnsmasq error  512 root ~/Library/LaunchAgents/homebrew.mxcl.dnsmasq.plist
4
unbound none

1
sudo brew services list

1
Name    Status  User File
2
caddy   none
3
dnsmasq started root /Library/LaunchDaemons/homebrew.mxcl.dnsmasq.plist
4
unbound none

Testing dnsmasq#

Running dig and specifically telling it to use the new 127.0.0.1 DNS server works:

1
dig foo.test.lan @127.0.0.1

1
; <<>> DiG 9.10.6 <<>> foo.test.lan @127.0.0.1
2
;; global options: +cmd
3
;; Got answer:
4
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10618
5
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
6

7
;; OPT PSEUDOSECTION:
8
; EDNS: version: 0, flags:; udp: 4096
9
;; QUESTION SECTION:
10
;foo.test.lan.      IN  A
11

12
;; ANSWER SECTION:
13
foo.test.lan.    0  IN  A  127.0.0.1
14

15
;; Query time: 0 msec
16
;; SERVER: 127.0.0.1#53(127.0.0.1)
17
;; WHEN: Fri Jun 30 05:43:11 PDT 2023
18
;; MSG SIZE  rcvd: 57

Configuring macOS to use the new DNS server#

I searched for “dns” in macOS system preferences, clicked on “DNS servers” and used the + button to add 127.0.0.1 to my list of DNS servers, leaving the previous entry in there too.

Screenshot of that panel in the macOS system preferences

Having done this, running cat /etc/resolv.conf showed me this, with a confusing warning message:

1
#
2
# macOS Notice
3
#
4
# This file is not consulted for DNS hostname resolution, address
5
# resolution, or the DNS query routing mechanism used by most
6
# processes on this system.
7
#
8
# To view the DNS configuration used by this system, use:
9
#   scutil --dns
10
#
11
# SEE ALSO
12
#   dns-sd(1), scutil(8)
13
#
14
# This file is automatically generated.
15
#
16
nameserver 127.0.0.1
17
nameserver 10.0.0.1

Running scutil --dns gave me this (truncated):

1
scutil --dns

1
DNS configuration
2

3
resolver #1
4
  nameserver[0] : 127.0.0.1
5
  nameserver[1] : 10.0.0.1
6
  flags    : Request A records, Request AAAA records
7
  reach    : 0x00030002 (Reachable,Local Address,Directly Reachable Address)
8

9
resolver #2
10
  # ...
11
DNS configuration (for scoped queries)
12

13
resolver #1
14
  nameserver[0] : 127.0.0.1
15
  nameserver[1] : 10.0.0.1
16
  if_index : 15 (en0)
17
  flags    : Scoped, Request A records, Request AAAA records
18
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

Finally, I ran a quick HTTP server using python -m http.server 8005 and confirmed that http://foo.bar.lan:8005/ in my browser worked as expected - which it did.

This broke DNS for me on other networks#

When I tried connecting to other networks later on the same day I found that DNS lookups were not working.

I eventually figured out why by running scutil --dns and noting that it was always trying to hit 10.0.0.1.

The fix was to open up the DNS servers area in Network settings again and remove ALL of the nameservers from that list. Once I did that the DNS server for the WiFi network I was connected to started working again.