How to configure macOS to use another DNS resolver on a per-domain basis.

At work we have some internal subdomains that only resolve via a specific DNS server only available via a VPN, that is pushed automatically upon connection.

I don’t want all my queries to go trough this DNS resolver, mainly because the one I usually use blocks ads and trackers.

After doing some research, I stumbled upon this tip on Mac OS X Hints from… 2004!

The solution is simple: to specify the resolver to use for a specific domain, create a file named after the domain in /etc/resolver/ and add the nameservers.

stanislas@mbp ~> cat /etc/resolver/domain.tld

Now, all my queries for domain.tld will be resolved by

The caveat with this technique is that tools like dig won’t actually resolve domains like apps and will bypass this.

To make sure your config works you better use scutil --dns:

resolver #8
  domain : domain.tld
  nameserver[0] :
  flags : Request A records, Request AAAA records
  reach : 0x00000002 (Reachable)

Try to ping the domains to test your changes. If it doesn’t work, the easiest way might be to reboot 🤷‍♂️. I haven’t found a better solution to get it to work right away.

Since the domain also contains publicly-accessible websites that I use, I want to be able to access them without the VPN. To do so, I just add another resolver in the file above. It will add some latency because of the fallback, but it will work.