What is going on with macOS DNS?

Question

I run what I presume is a fairly standard nerd setup. Unify networking gear, and a local DNS for adblocking and a custom internal domain mapping (*.home).

Very regularly all of a sudden my Mac will just fail for internal dns. foo.home? never heard of it. External dns continues unaffected. So wearily I break out the old sudo killall -HUP mDNSResponder (sometimes twice) and all of a sudden all is well in the world again.

dig and nslookup don't use the macOS dns system and they continue to work just fine through these outages.

In an outage, if I run dscacheutil -q host -a name foo.home I get nothing. Restart mDNSResponder and it provides output just fine:

name: foo.home
ip_address: 192.168.1.4

Same for dns-sd -q foo.home:

DATE: ---Wed 12 Jul 2023---
10:39:54.691  ...STARTING...
Timestamp     A/R  Flags         IF  Name                          Type   Class  Rdata
10:39:54.692  Add  40000002       0  foo.home.v                    Addr   IN     0.0.0.0    No Such Record

Then restart mDNSResponder and:

DATE: ---Wed 12 Jul 2023---
10:58:17.585  ...STARTING...
Timestamp     A/R  Flags         IF  Name                          Type   Class  Rdata
10:58:17.591  Add  2              0  foo.home.                     Addr   IN     192.168.1.4

This failure quite often will poison browser internal dns caches and I will have to clear it, this is the case with Brave, Firefox and Safari that I've seen so far.

This is my scutil --dns output:

DNS configuration
resolver #1
  search domain[0] : tail44a85.ts.net
  search domain[1] : home
  nameserver[0] : 100.100.100.100
  if_index : 22 (utun3)
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)
  order    : 100200
resolver #2
  nameserver[0] : 192.168.1.4
  nameserver[1] : 9.9.9.9
  if_index : 15 (en0)
  flags    : Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)
  order    : 200000
resolver #3
  domain   : tail44a85.ts.net.
  nameserver[0] : 100.100.100.100
  if_index : 22 (utun3)
  flags    : Supplemental, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)
  order    : 100201
resolver #4
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000
resolver #5
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200
resolver #6
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400
resolver #7
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600
resolver #8
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800
resolver #9
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000
DNS configuration (for scoped queries)
resolver #1
  search domain[0] : home
  nameserver[0] : 192.168.1.4
  nameserver[1] : 9.9.9.9
  if_index : 15 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)
resolver #2
  search domain[0] : tail44a85.ts.net
  nameserver[0] : 100.100.100.100
  if_index : 22 (utun3)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00000003 (Reachable,Transient Connection)

I have seen a few mutterings on the internet that having a 'fallback' dns can be the problem, ie mDNSResponder tries our local boy, has a hiccup due to whatever network or service weirdness, and then writes it off and goes to DNS#2. I'm not sure how to test this hypothesis. I serve 2 DNS in the DHCP config due to if the local service fails/crashes etc that the other house occupants don't experience a full failure of 'the internet'.

I do run Tailscale but I've found this issue predates my use of it.

My local dns service is Adguard running as a HomeAssistant Supervised Docker container. DHCP is provided by the Unifi USG.

I've tried parsing the logs in Console.app for mDNSResponder but its a bit cryptic since it seems to hash values and I'm not 100% what I'm looking for.

The internet has quite a few hits around this sort of thing, some more interesting ones being:

• https://discussions.apple.com/thread/254717652
• https://www.reddit.com/r/MacOS/comments/s4ngui/dns_issues_on_safari/

I've found this issue predates Ventura. Its been going on for years and I'm pretty sick of it so would like to get to the bottom of what's going on here.