macOS 26 breaks custom DNS settings including .internal (gist.github.com)
228 points by adamamyl 4 hours ago
One of those 'woke up to MacOS updates' and finding none of my dockers are reachable via dnsmasq (which I use), and low and behold, an update silently breaks custom dns resolution. Hopefully Apple will listen to the bug report I've made. Hold off on updating if you use this…
mrbuttons454 3 hours ago
Papercuts like this are why I moved away from macOS.
I will say, I don't love the use of LLMs to write these bug reports. It's probably fine if reviewed, but at least review for things like "worked on macOS 25", which obviously didn't exist. If that wasn't caught, how sure are you that the rest of the report is accurate? We all want the bugs fixed, but people are going to start throwing out the obviously LLM written reports rather than have to validate each claim, since the author probably didn't.
827a 2 hours ago
Its my strong belief that using AI in any capacity which does not upfront state "the following content was generated by artificial intelligence" is never acceptable. In most situations, allowing an AI to wield your name gives off the scent of "My time is more valuable than yours, so I've automated writing to you." It is quite disgraceful. If your use-case would be materially harmed by an upfront disclosure of AI generated content, then you need to take a good, hard think on what that means for what you're doing (then again, maybe you're not interested in thinking anymore and that's how you got to this point in your life).
misnome 2 hours ago
It’s good-faith arbitrage. Until everyone automatically suspects everything to be LLM generated and there is zero trust, anyone doing this is eroding the good faith that lets them get away with it in the first place.
brookst an hour ago
Same thing as using a word processor and printer rather than handwriting a note. Inexcusable.
NikolaNovak 37 minutes ago
JadeNB an hour ago
chuckadams 3 hours ago
I'm used to papercuts on every OS, but at least with a Linux box I can roll it back. Usually it's as easy as picking the previous boot menu entry (with NixOS, the whole system rolls back that way). I find macOS acceptable enough for my laptop, but I'm doing most of my real work in Linux containers anyway.
rectang 2 hours ago
> Papercuts like this are why I moved away from macOS.
It's been this way for decades. Microsoft was known for preserving backwards compatibility, while Apple was known for being willing to break stuff.
The differences aren't that extreme in reality: Microsoft breaks stuff more than it used to, while Apple has become comparatively more conservative than once upon a time.
Barbing 3 hours ago
Yes, for the time being the final report should probably come from us (but endless opportunity along the way to clarify thinking and understand industry standard terms).
duped 3 hours ago
Using LLMs for any kind of writing is unethical, with the narrow exception of translation. If you didn't take the time to compose your words thoughtfully then you aren't owed the time to read them.
rebolek 2 hours ago
Using LLM is perfect for writing documentation which is something I always had problems with it.
mort96 2 hours ago
duped 2 hours ago
eru 3 hours ago
Unless you pay me, you aren't owed anything.
BoredPositron 16 minutes ago
dec0dedab0de 3 hours ago
There is a huge difference between using an llm and just blindly dumping it's output on someone verbatim.
I think it's fine to have an llm write a first or second draft of something, then go through and reword most of it to be in your own voice.
oasisbob 2 hours ago
r_lee 3 hours ago
duped 2 hours ago
GauntletWizard 3 hours ago
zer00eyz 3 hours ago
> If you didn't take the time to compose your words thoughtfully then you aren't owed the time to read them.
Apply this argument to code, to art, to law, to medicine.
It fails spectacularly.
Blaming the tool for the failure of the person is how you get outrageous arguments that photography cant be art, that use of photoshop makes it not art...
Do you blame the hammer or the nail gun when the house falls down, or is it the fault of the person who built it?
If you dont know what you're doing, it isnt the tools fault.
abenga 3 hours ago
duped 2 hours ago
yearolinuxdsktp 2 hours ago
I disagree with the downvotes, but let me put it differently: if you don’t understand, have reviewed and be ready to own all of LLM output (the thoughtful part), then you aren’t owned the time to read them. If you didn’t try to reign in the verbose slop that’s the default for LLMs, I don’t want to read it.
Maybe the poster is running a local LLM.. you’d think that a SOTA model would have surmised that an overnight MacOS upgrade can only be a minor version.
wyufro 3 hours ago
That's very elitist and unfair to people who previously struggled to form their words but now have a better chance at doing so.
duped 2 hours ago
bigyabai 2 hours ago
rusakov-field 4 minutes ago
I don't know , I like macOS, mainly that zsh is readily available and I can (almost) do anything I can do on a linux box in a personal computer.
kandros 5 minutes ago
I still want to believe macOS 26 was vibe coded with Apple Intelligence and siri. Makes it easier to digest daily use
alin23 2 hours ago
macOS 26 has to be the most breaking version so far, its problems and intended breaking changes making my app dev life so hard this year. Just to name a few:
- Reference Presets no longer allow setting arbitrary SDR nits, making it impossible to natively unlock 1600nits of brightness on MacBook Pros or 2000nits on Studio Display XDR which breaks my Lunar app [0] (this seems to be intended, no idea what hurt Apple that they had to block this under SIP)
- The orange microphone dot indicator and its very colored friends can no longer have their brightness changed for dimming them, which made my YellowDot app useless [1] (I guess this is for privacy, I still think this could have a setting guarded under TouchID like Accessibility Permissions works)
- Floating non-titled windows don't accept mouse events (thankfully this got fixed) [2]
- Gamma table changes don't work on MacBook Neo and M5 Pro/Max which breaks Sub-zero Dimming and dimming external monitors that don't support DDC (thankfully, Apple is looking into it) [3]
- The resizing area thing on very rounded windows which drives everyone nuts, I had to add custom resize handlers to some of my windows
- The `com.apple.SwiftUI.Drag-` temporary file paths that get generated for any file that gets dragged from a drag&drop handler which makes it impossible to get to the original file when dragging images from Clop [4] or file shelf apps like Yoink, Dropover etc.
- NSImage returning different pixel count for .size than what the image actually has, breaking workflows that depended on that to determine the image DPI
[1] https://github.com/FuzzyIdeas/YellowDot/issues/18
[2] https://developer.apple.com/forums//thread/814798
pier25 11 minutes ago
There are rumors iOS 27 will be a sort of Snow Leopard update with no new features [1]. Just bug fixes and performance improvements.
Hopefully Apple will do the same for macOS 27.
[1] https://www.macrumors.com/2026/03/15/ios-27-will-reportedly-...
jesse_dot_id an hour ago
As a hobbyist music producer with an interface always connected, that microphone indicator is so annoying and unnecessary. I can't believe it can't just be disabled outright. I like macOS but it's too opinionated and some of those opinions SUCK.
nowahe 2 hours ago
Ah I was wondering why I couldn't get past 600 nits on my M5 why it worked great on my M1. Guess I'll just have to live without it for now
alin23 an hour ago
It's still possible with the older forced HDR + Gamma tone-mapping logic, but it has its limitations. The native unlocking was miles better.
philo23 3 hours ago
It's not quite the same, but I've moved to using *.localhost for all my local web dev work. All modern browsers will resolve *.localhost to 127.0.0.1 internally. No need to setup any DNS resolvers or edit your hosts file.
But that only really helps you when you're dealing with websites in a browser, and when you want the address to resolve back to your local machine. So it wont help you with other programs like python/wget/etc or any calls you make to getaddrinfo()
doctoboggan 10 minutes ago
Yeah I've been doing this as well. I know it's a minor nit, but I wish that TLD was shorter. I've used *.local in the past but that has bitten me too many times.
nikisweeting an hour ago
The best part is that *.*.localhost is also supported, so you can finally just replace *.com for your prod domains with *.localhost.
ArchiveBox now uses this feature by default in the latest version to finally offer unique per-snapshot domain isolation, so we can safely replay archived JS without risking compromise of your whole archive.
Such an awesome feature, the barrier to do this used to be prohibitively high but now it "just works".
zamadatix 2 hours ago
Good tip, I didn't realize the browser would automatically resolve any subdomain of localhost to 127.0.0.1/::1 as well these days.
I tested on Chrome but I assume this is true for Safari as well?
philo23 2 hours ago
Just tried it on my Mac and sadly it doesn’t seem like it. I’m still on Sequoia, so possibly it does it on Tahoe, but probably unlikely. That’s a shame.
It’d be nice if someone on the Safari team added this though to match Chrome and Firefox!
whalesalad 2 hours ago
we have dev.our-root-domain.com in public DNS pointing to 127.0.0.1
stock_toaster 2 hours ago
I've run into resolvers that filter things like that to prevent dns rebinding attacks. And localhost (the hostname) does not work for CORS.
Best option is probably to set dev.our-root-domain.com in /etc/hosts
binaryturtle 4 hours ago
I run a setup like that on my (outdated) Yosemite machine to provide multiple private TLDs for local deployment/development needs.
I set that up in like 2014? Even back then it was known already that the quick /etc/resolver way was the deprecated way to do things. So I guess they finally killed that feature off?
The proper (more awkward) way is to use scutil directly (which then stores the settings in some binary plist somewhere, I assume).
Maybe try this and see if it still works afterwards?
hrmtst93837 2 hours ago
scutil is only half the story, because some macOS lookups still go through mDNSResponder in ways that ignore or override that config, which leaves you debugging random misses and binary plist junk. At this point, unbound or dnsmasq is simpler.
himata4113 4 hours ago
Still wishing for the day apple is split into the hardware and the software company. I want their silicon, but I will never use their (arguably terrible) operating system. If I can't run my own kernel and kernel modules then it's a device that I don't own. Firmware is alright in some cases, but my laptop next to me is running core boot just to prove a point.
t-sauer 3 hours ago
But you can run your own kernel on Macs, no? Isn‘t driver support the issue?
vbezhenar 3 hours ago
Maybe Apple Hardware would write Linux drivers to sell their hardware for servers. Intel contributes to Linux kernel. AMD contributes to Linux kernel. Nvidia contributes to Linux kernel. A lot of hardware manufacturers support Linux to some extent. It's no longer reverse-engineered wild west.
himata4113 2 hours ago
Not on new silicon and asahi linux is still pretty damn far from being able to use it seriously. I do appreciate the effort, but I am just saying that it would be a lot better if you know, apple sold the hardware so vendors could build laptops with apple silicon.
mikestew 3 hours ago
(arguably terrible) operating system
macOS has made some arguably poor design choices, but it makes it hard to take someone seriously when they state the whole OS is terrible.
seemaze 2 hours ago
It's the worst OS we have.. except for all the others.
bigyabai 2 hours ago
There's a reason macOS is the least-used OS behind Linux and Windows. If it was any less terrible, we would know.
x3ro an hour ago
himata4113 2 hours ago
It could be just me, but every time I tried to do something I sat thinking that I am not the target audience for this thing. I don't like the UI, I hate not being able to talk to the hardware the way I can on linux (uart took me way too long to get working), I am angry that I am not able to run kvm, I hate not being able to replace the desktop and fix bugs myself. That's what makes it terrible for me.
mikestew 2 hours ago
TheSkyHasEyes 2 hours ago
whalesalad 3 hours ago
macOS is not perfect but I don't think anyone could seriously argue that it is terrible.
chillpenguin 17 minutes ago
I'm glad to find out it's not just me! My homelab has a lot of domains on .home.arpa, and I was getting issues related to this.
ramon156 3 hours ago
Bit off-topic. I mostly use Linux and I'm of the opinion that it's miles better than Windows, but I don't fully understand why people say MacOS looks bad?
Ignoring the current Tahoe mess, MacOS felt relatively polished. I'm purely talking about UX here, as the OS is evidently buggy. The most popular Gnome themes are a re-impl of MacOS, so I can't be the only one.
klodolph 3 hours ago
It’s selection bias; the people who complain are the most visible online. Especially HN.
kace91 3 hours ago
I'm with you, pre Tahoe I've never had an issue with iOS aesthetically, other than lack of customisation.
Then again I never understood the trend to remember fondly windows 98 and those kind of interfaces, maybe it's generational.
bdcravens an hour ago
> Then again I never understood the trend to remember fondly windows 98 and those kind of interfaces, maybe it's generational.
I may have a generational bias (I am almost 49), but I think the fondness is due to lack of UI surprise. A button was a button, a menu was a menu with clear shortcuts, etc. There were no mystery scrollbars that required specific interactions to appear or expand. Don't get me wrong, I'm a happy-ish MacOS user and love screen size, clear fonts, etc that we get in the modern world, but I think we've all had moments of frustration when we had to go on a scavenger hunt in an app and cursed those who didn't leave well enough alone.
nslsm 3 hours ago
There’s no “Tahoe mess”. I’ve used it since 26.0 and it’s good. Different indeed, but good. People love complaining.
hbn 3 hours ago
There's very valid reasons to have issues with Tahoe's changes. The dock being liquid glass is fine. But curving the windows to look like iPad apps, and not even adjusting the grab target appropriately for resizing the window is bad. Getting rid of the title bar so it's not clear where you can grab a window is bad. Apple Music hiding the volume slider behind another click is bad.
It straight up broke some interfaces too
celsoazevedo 3 hours ago
I'm glad that it's working well for you, but from the moment some users with M-series SoCs report laggy animations, something somewhere has to be wrong.
vbezhenar 3 hours ago
It's incredibly bloated. I don't want AI engine in my OS. I don't want Spotlight in my OS. I don't want my OS to load CPU for 10 minutes after boot for who knows what. I don't want my OS to ship with Chess app and lots of other irrelevant software. I don't want my OS to ship with Music app and bother me with subscription offers. I don't want my OS to ship with iCloud app.
They also do strange choices regarding shipped software. For example they ship ancient bash 3, apparently because they hate GPLv3 or something like that. I like GPLv3 and this choice makes macos user-hostile.
MoonWalk 3 hours ago
A couple iOS versions ago, Apple broke self-signed certificates... crippling mobile development by preventing the use of HTTPS to communicate with a local server.
It makes you wonder why they were messing around in these areas at all at this point.
JimDabell 3 hours ago
*.localhost works out of the box doesn’t it? You don’t need dnsmasq at all to have multiple hostnames pointing to 127.0.0.1.
winstonwinston an hour ago
*.example-private point is to have multiple machines using private addresses such as web.example-private in A 192.168.0.100 and db1.example-private in A 192.168.0.101.
If you just want to resolve 127.0.0.1 then you just resolve hostname "localhost" or use 127.0.0.1 directly.
Personally i don't bother configuring custom private dns zones, instead i use reserved MDNS *.local that autoconfigure everything using machine name (hostname) and DHCP address: somehostname.local in A <dhcp assigned ip>.
bombcar 2 hours ago
You often have internal private IPs you want to resolve to things that aren't localhost
bdcravens an hour ago
> The only reliable workaround is to add entries manually to /etc/hosts, which bypasses mDNSResponder entirely. This is impractical for dynamic use cases (e.g. Docker container DNS, where host entries change frequently) and requires sudo for every change.
I suppose I'm lazy - I've always used /etc/hosts, but then again, I've never had use cases like those mentioned in the linked gist.
thedougd 2 hours ago
I had to abandon Apple MacOS container because it has so many issues with networking and DNS. I'm looking forward to try it again if they can get it fixed.
https://github.com/apple/container/issues?q=is%3Aissue%20sta...
ProllyInfamous 3 hours ago
I am not familiar with dnsmasq at all (is this machine-local?), but absolutely love my PiHole hardware — you can even create rules which intercept hard-coded-IP DNS request and/or httpsDNS. You can also hard-code/intercept .TLD to local service IPs.
Programs like LittleSnitch never really seem like "enough" for me, because the computer has to boot before DNS filtering comes online. It also has the design error (IMHO) of pre-resolving IP addresses before clicking Accept/Deny(all).
A great blockrule for your personal firewalls would be to ban (at top level) icloud.com, apple.com, &c; system updates can then be performed manually using guides like <http://www.mrmacintosh.com>. Of course: this breaks everything (in exactly the way I prefer to compute).
bombcar 3 hours ago
This works great (and I use it) internally but when you want things like your docker domains to work when you're on the go, it's annoying.
I have setup a VM running DNS on my laptop before ...
ProllyInfamous an hour ago
It is not too difficult to allow your PiHole to serve you globally (but does requiring opening some ports in your firewall == additional security risk).
There is a simple checkbox within the DNS's web interface to `Allow WAN Requests`. You'd then only run into issues of accessing your local IP addresses if those hosts aren't configured correctly within your network rulesets.
----
I am a user, not an expert; by trade, I am a blue collar electrician. I know very little about internet topology except how to use simple open-source hardware. Perhaps what you said makes sense (e.g. that you cannot use outside your network, some service(s)).
bombcar 25 minutes ago
hnarn an hour ago
If Asahi had the same battery life and performance as MacOS there is zero chance I would be running MacOS.
hk1337 3 hours ago
I've been using macOS since OS X Tiger and I wasn't aware of this feature.
neilsharma425 3 hours ago
Has anyone found a working workaround yet? I use dnsmasq for .local dev routing and held off updating after seeing this but curious if there is a viable path forward short of waiting for Apple to patch it.
cortesoft 3 hours ago
Wouldn’t the workaround just be to have your local dns server enable recursive lookups, and point all your DNS queries to it?
kenny_r 3 hours ago
What I'd suggest is using lvh.me, which always resolves to localhost, as do all it's subdomains. If you need a specific IP you can use nip.io.
If you want valid certs you can generate them with mkcert and add them to your system trust store.
mkagenius 3 hours ago
holding off update seems like reasonable step till the patch comes. I also run a .local for apple containers though not docker.
Drupon 3 hours ago
FYI the phrase is "lo and behold"
Thank you for the heads up.
Hizonner 2 hours ago
Seems bad that people feel forced to use GitHub to talk about Apple's bugs.
bpicolo 2 hours ago
Another funny thing about Mac networking.
There's a game I play (Old School Runescape) that does network ticks every .6s. Mac does some sort of aggressive optimization on the network hardware/software, so network this infrequent doesn't keep the layers "hot", and you end up getting delayed ticks regularly, meaning you learn what should be happening in the game .2-.5s late. This optimization for (I assume) battery life makes the software not work as intended.
Playing anything that streams, like video, or triggering TCP connections (e.g. curl) at a more frequent clip while the game is running fixes the problem.
No way other than hacks that I've found to fix it, and I have no idea how you could report this to the right team at Apple to get it actually fixed.
speff 38 minutes ago
Very interesting. I play RS3 and made a helper tool[0] for tracking ticks. I noticed increased jitter on my MBair (~50-150ms) compared to Windows, but I chalked it up to the air being on a wifi connection. I wonder if your explanation's the real reason.
bpicolo 36 minutes ago
Watch some twitch while you monitor it - will magically go away I suspect
speff 30 minutes ago
intrasight 3 hours ago
Honest question: How would this affect me and the vast majority of macOS users who use the device for media consumption and productivity applications?
Next question: what reason would Apple have to make a change that would interfere with developers using their operating system?
mikestew 2 hours ago
Your “next question” seems very leading. Can you make your point more clear? What’s your answer to that question?
intrasight 2 hours ago
I don't understand your question since my question was honestly posed.
What might lead Apple to make a change that would reduce the audience of their devices. I don't develop on macOS but I know developers who do. Did they just make a mistake and they're gonna fix it?
mikestew 2 hours ago
JimmaDaRustla an hour ago
Again? This happened like 6 or 7 years ago. I had so many issues with macOS in the few years I was forced to use a MacBook that I refused to use it. Not surprised to see this stuff still happening.
lapcat 3 hours ago
> https://feedbackassistant.apple.com/feedback/22280434 (that seems to need a login?).
All Feedbacks that you file are private to your own Apple Account.
justsomehnguy 3 hours ago
Solved this type of shenanigans some years ago with this.
New-UnboundInterface.sh - linux/rhel-like specific
# create a bridge interface for Unbound
# because Docker...
IFTYPE=bridge
IFNAME=unbound0
IPADDR=10.53.0.1
IPADDR6=fd53:fd53:fd53::1
nmcli connection add type $IFTYPE ifname $IFNAME
nmcli connection modify $IFTYPE-$IFNAME ip4 $IPADDR/32
nmcli connection modify $IFTYPE-$IFNAME ipv4.dns $IPADDR
nmcli connection modify $IFTYPE-$IFNAME ip6 $IPADDR6/64
nmcli connection modify $IFTYPE-$IFNAME ipv6.dns $IPADDR6
nmcli connection up $IFTYPE-$IFNAME
firewall-cmd --new-zone=unbound --permanent
firewall-cmd --zone=unbound --permanent --change-interface=$IFNAME
firewall-cmd --zone=unbound --permanent --add-service=dns
firewall-cmd --reload
# should be placed in /etc/unbound/conf.d
# bind to a specified IP address, allow access
server:
interface: 10.53.0.1
interface: fd53:fd53:fd53::1
access-control: 10.53.0.1/32 allow
access-control: fd53:fd53:fd53::1/128 allow
# allow queries from the Docker "bridge"
server:
access-control: 172.18.0.1/16 allowlysace 3 hours ago
> Ah, the joys of waking up to find the Mac's done an overnight upgrade
Wait, it does that (from 15 to 26) without user interaction?
mikestew 2 hours ago
No, it does not. It’ll bug the shit out of you to upgrade, but it won’t automatically do a major version upgrade. By default it will automatically do minor version upgrades (that can be turned off).
That’s what makes the LLM bug report make no sense in light of OP’s report here. Bug says it’s a regression from 25.x (which doesn’t exist), so maybe they mean 15.x? But OP says they “woke up” and it was upgraded and broken, but macOS doesn’t major version upgrades w/o user action. So which is it?
lysace 2 hours ago
Phew.
timw4mail 2 hours ago
No.
yearolinuxdsktp 3 hours ago
Apple container CLI configures internal domains (`container system dns`) by adding an internal resolver and it worked for me when I specified an actual domain previously handled by external DNS and it showed up as a custom resolver.
Here’s a GitHub comment showing someone on MacOS 26 with a `.test` domain, which you claim is broken: https://github.com/apple/container/issues/856#issuecomment-3... —- maybe you are configuring it incorrectly.
adamamyl 4 hours ago
Before others jump in: I already use Linux (and used to run FreeBSD as my desktop operating system).
bgentry 4 hours ago
Thanks for sharing your report, it's frustrating to see things like this break in minor patch updates. Small tip for GitHub Gist: set the file format to markdown (give it a .md extension) so that the markdown will be rendered and won't require horizontal scrolling :)
mrpippy 2 hours ago
The report says it broke when updating from macOS 15 to 26, so not a minor patch update. I'm a bit surprised no one noticed this earlier though, since 26 has been out since September and in beta since June.
Razengan 3 hours ago
It also seemingly broke removing Safari cookies on a per website basis, something I often used to stop Google's scummy tracking across all their services if you just want to sign into YouTube.
nottorp 3 hours ago
Firefox + Google Container extension.
Why use Apple's browser when they don't actually care about your privacy?
nickdothutton 2 hours ago
Ah great another reason to add to the many reasons not to use this OS. Semi serious question, is Apple looking to dump its existing customer base for a new, perhaps consumer not pro-sumer one?
butILoveLife 2 hours ago
Wait... someone is under the impression that Apple was ever good to its customers?
I thought we all just dealt with the overpriced hardware, the prisons, the control, that they are a US company that gives away data to the government(PRISM), has weak security(Pegasus), lies about hardware issues(butterfly keyboard and holding your phone wrong), deceptive marketing...
All so we can compile iOS apps.
If you arent compiling iOS apps... Do you not know about Fedora? Ofc Windows sucks, but we have Fedora.
Congeec 4 hours ago
If you have ScreenTime turned on. Port :8080 is occupied and your ubuntu apt-get in a docker build gets hash mismatch because they obviously modified packets. Let alone I am having another issue of unable to delete a private key in Keychain Access.
The whole macOS thing is amateur
1718627440 3 hours ago
Why does macOS use ports above 1024 by default? There is a reason it is reserved to be used by OS services.
delduca 3 hours ago
Port 5000 is also ocupied on macOS.