At work we have some internal subdomains that only resolve via a specific DNS server only available via a VPN, that is pushed automatically upon connection.
I don’t want all my queries to go trough this DNS resolver, mainly because the one I usually use blocks ads and trackers.
After doing some research, I stumbled upon this tip on Mac OS X Hints from… 2004!
The solution is simple: to specify the resolver to use for a specific domain, create a file named after the domain in
/etc/resolver/ and add the nameservers.
stanislas@mbp ~> cat /etc/resolver/domain.tld nameserver 192.168.42.42
Now, all my queries for
domain.tld will be resolved by
The caveat with this technique is that tools like
dig won’t actually resolve domains like apps and will bypass this.
To make sure your config works you better use
resolver #8 domain : domain.tld nameserver : 192.168.42.42 flags : Request A records, Request AAAA records reach : 0x00000002 (Reachable)
Try to ping the domains to test your changes. If it doesn’t work, the easiest way might be to reboot 🤷♂️. I haven’t found a better solution to get it to work right away.
Since the domain also contains publicly-accessible websites that I use, I want to be able to access them without the VPN. To do so, I just add another resolver in the file above. It will add some latency because of the fallback, but it will work.