A Young Goku (from Dragon Ball) wearing his Crane School uniform
Kunall Banerjee

macOS cached DNS entries don’t work as I expected

19th April, 2022

I recently ran into some DNS issues, and so like always, I opened up CleanMyMac X and ran the ‘Flush DNS Cache’ maintenance script.

This usually does the trick. However, this time after querying for the service in question using dig, I was still hitting the old IPs. OK, that’s weird because CleanMyMac simply sends a SIGHUP to mDNSResponder to purge the DNS cache, something like this:

sudo killall -HUP mDNSResponder

I confirmed that it was sending the appropriate signal:

sudo log stream --info --predicate 'process == "mDNSResponder"'
sudo log stream --info --predicate 'process == "mDNSResponder"'Filtering the log data using "process == "mDNSResponder""Timestamp                       Thread     Type        Activity             PID    TTL2023-06-26 18:30:54.592258+0530 0x394      Default     0x0                  194    0    mDNSResponder: [com.apple.mDNSResponder:Default] SIGHUP: Purge cache

Okay, the logs say it purged the cache, but how do I know it actually did it? On Windows, I can do something like ipconfig /displaydns and it shows a list of all cached DNS entries. The equivalent of that (or the closest) in macOS is sudo killall -INFO mDNSResponder:

sudo killall -INFO mDNSResponder
2023-06-26 18:40:14.687612+0530 0x394      Default     0x0                  194    0    mDNSResponder: [com.apple.mDNSResponder:Default] Sending SIGINFO to mDNSResponder daemon is deprecated. To trigger state dump, please use 'dns-sd -O', enter 'dns-sd -h' for more information

Maintaining/updating documentation has never been Apple’s strong suite. All right, fine, as you say. I’ll use dns-sd instead.

sudo dns-sd -OXPC service returns error, description: State dump is only enabled in internal builds

Wtf? Why would you actively choose to disable this feature? I looked up the closest (and previous) builds of mDNSResponder, and found some answers:

typedef enum{    ...,    full_state_to_stdout = 3,           // Dump state to STDOUT} DNSStateInfo;

Apple allowed you to dump state till build 1310.140.1, but for privacy reasons, they started logging DNS queries to os_log as private. In fact, a previous build of mDNSResponder explicitly states that.

// Feature: Support for having finer granularity of log redaction, by using os_log based-log routine.// Radar:   <rdar://problem/42814956>// Enabled: Yes.#if !defined(MDNSRESPONDER_SUPPORTS_APPLE_OS_LOG)    #define MDNSRESPONDER_SUPPORTS_APPLE_OS_LOG                     1#endif

So… I should technically be able to use log to access the private data. Right? Wrong.

sudo log config --mode private_data:onlog: Invalid Modes 'private_data:on'

After some research, I ran into this article, which basically states that without turning off System Integrity Protection (SIP), there is no easy way to get around the above error.

So if you’re a macOS user, you are left with no plausible way to find out your cached DNS entries. At least you can still purge them manually. For now. Another day, another feature disabled/removed by Apple due to “security” concerns.