I'm using Bind9 as a DNS service to resolve some domain names internally. The topology is simple, with one router for all internal computers, and all computers using an internal DNS to resolve both internal and external domain names.
Let's say we have a domain name "domain.com", which has a public A record handled by a service provider like GoDaddy and is assigned to a public IP address, while my internal DNS is set (the same domain name) to resolve it as a private IP address internally.
The interesting thing is that on macOS (Ventura), if I use ping or a browser like Safari, that domain name will always be resolved to the public IP. However, if I use dig or nslookup, the resolver and result are correct with the private IP. Flushing DNS (using "dscacheutil -flushcache" and "sudo killall -HUP mDNSResponder", also clearing Bind9 cache) does not resolve this issue.
All these machines have IP addresses and DNS server IP allocated by a DHCP server, and that DNS is the only source for resolving all domain names.
All other systems like Linux or Windows resolve the same domain name correctly to the designated private IP without any problem. Also, it looks like only the domain (or subdomain) that has been assigned a public IP will be resolved incorrectly on macOS (all non-assigned domain or subdomain names are correct internally). So I'm guessing Bind9 is resolving (or recursively using) some forwarders?
are there any configurations to enforce resolving the internal record first? or is there something I need to fix specifically for this case?
Demo
Thank you for any help!
