I had an issue recently with a client whereby they were unable to resolve servers on the local network via their hostnames.

What was really odd is that using some command line tools, such as host, nslookup and dig all seemed to work correctly – e.g. I could type in host server.internal.example.com and it would return the correct IP address.

Some other tools, such as ping however wouldn’t work, e.g.: ping server.internal.example.com would say that it couldn’t resolve the hostname – unknown host.

Looking at the hosts file showed two DNS servers, one internal and one external, and querying the internal DNS server directly always gave the correct results.

As it turns out, what was happening is that macOS (since, I think, Ventura) when presented with multiple DNS servers will see if any of them support DNSSEC. If one of the DNS servers supports DNSSEC, then macOS will completely ignore the other DNS servers that don’t support it – even if the other DNS servers are on the LAN. Any services that use the operating systems DNS resolver will then be unable to look up hostnames in the internal DNS.

To fix this, I removed the external DNS server (which was put there as a redundancy measure) and had just internal DNS servers in the list. Once this was done, the issue was resolved.