Summary:
Users on macOS and iOS devices may report "Unknown Host" or "Server Not Found" errors when attempting to access internal services (e.g., app-service.enterprise.com), even though the same services are reachable from Windows or Android devices. This issue is a specific case of a broken CNAME resolution chain. It occurs when a public or internal alias points to a target ending in .local, triggering Apple’s strict adherence to RFC 6762 (Multicast DNS).
Symptoms:
- Device Specificity: Only macOS and iOS devices are affected.
- Network Behavior: nslookup (which queries nameservers directly) succeeds, but ping, Safari, or Chrome (which use the system resolver) fail.
- Error Message: ping: cannot resolve [service.url]: Unknown host.
Root Cause Analysis:
The failure occurs because the macOS/iOS system resolver cannot "chase" the second half of a DNS lookup when it involves a .local suffix.
1. The Resolution Chain Case
In this scenario, a DNS query follows this path:
- User requests: app-service.enterprise.com
- DNS Server responds: "That is an alias (CNAME) for target.infra.local."
- The Break: Apple's system resolver sees .local and stops the chain.
2. Apple’s Compliance with RFC 6762
Apple devices strictly follow RFC 6762, which designates the .local suffix exclusively for Multicast DNS (mDNS/Bonjour).
- Under this standard, the system resolver is instructed not to query traditional Unicast DNS servers for any domain ending in .local.
- Instead, the device broadcasts a discovery packet to the immediate physical Wi-Fi/LAN segment.
3. Why it works on Windows/Android
Other operating systems often employ a "non-standard" or "permissive" hybrid approach. If a .local address is not found via mDNS, they will "failover" and query the internal DNS server to complete the CNAME chain. While user-friendly, this behavior deviates from what apple product does.
4. The Failure Result
Because the requested host/infrastructure is not physically present on the user's local network segment, Apple's mDNS broadcast returns no results. The system stops the lookup before ever asking the company's nameservers for the second half of the CNAME record.
Technical Proof:
If you run the following tests on an affected Mac, you will see the discrepancy:
Command | Result | Reason |
nslookup app-service.enterprise.com | Success | Bypasses system rules to talk directly to the configured nameserver. |
ping app-service.enterprise.com | Failure | Uses system resolver; adheres to RFC 6762 and halts at the .local CNAME. |
Resolution: Search Domain Configuration
To force Apple devices to "trust" the Unicast DNS server for .local targets and complete the resolution chain, the domain must be explicitly defined in the Search Domains list pushed via the VPN profile. This is the only supported method to override mDNS behavior for the .local suffix on Apple products as an example described below.
Domain Suffix | Priority | Purpose |
infra.local | Critical | Completes the CNAME chain by allowing Unicast resolution of .local targets. |
internal.corp | Recommended | Provides a fallback for broader infrastructure resources. |