Implementing Per-Domain DNS Configuration in macOS Using Resolver Configuration Files

In macOS, managing network traffic is essential for a robust and secure IT infrastructure. The operating system allows users to have a granular level of control over Domain Name System (DNS) settings, improving network functionality. Today’s post will walk through setting up per-domain DNS configuration on macOS using resolver configuration files.

Adding a DNS Rule Per Domain

MacOS has a powerful feature that allows you to specify DNS servers for individual domains. This is accomplished by creating resolver configuration files in the /etc/resolver/ directory. Each file in this directory corresponds to a domain and specifies the DNS servers to be used for that domain.

Let’s add a DNS rule for the “ymbihq.local” domain:

  1. Open Terminal.
  2. Use the sudo command to create a new file in the /etc/resolver/ directory with the same name as your domain:
sudo bash -c 'echo "nameserver" > /etc/resolver/ymbihq.local'

This command will create a new resolver file named ymbihq.local and adds a line specifying as the nameserver. As a result, all DNS queries for “ymbihq.local” will be resolved by the DNS server at the IP address

Reviewing DNS Rules

To verify that the resolver configuration file was created successfully and to review its content, use the cat command:

cat /etc/resolver/ymbihq.local

This will output the contents of the ymbihq.local file, which should look like this:

# Sample output:

This confirms that the DNS server for the “ymbihq.local” domain has been set to

Removing a DNS Rule

If you need to remove a DNS rule, you can simply delete the corresponding resolver configuration file. Use the rm command for this:

sudo rm /etc/resolver/ymbihq.local

After running this command, your macOS system will no longer have a custom DNS server set for the “ymbihq.local” domain, and it will default to using your standard DNS servers.

By creating and managing resolver configuration files, you can precisely control your DNS settings on a per-domain basis. This powerful feature of macOS allows you to optimize your network to fit your specific needs.

Implementing Per-Domain DNS Configuration in Windows Using PowerShell

The subtitle could be something like: Mastering DNS Client NRPT Rules with PowerShell

In today’s post, we will be looking at a compact, but powerful, the chunk of PowerShell code that allows us to interact with DNS Client Name Resolution Policy Table (NRPT) rules on a Windows machine. The commands in this code allow us to add, review, and remove rules, giving us control over the direction of our DNS traffic.

Adding a DNS Client NRPT Rule

Let’s take a look at the first command:

# add a Windows rule for ymbihq.local domain
Add-DnsClientNrptRule -Namespace ".ymbihq.local" -NameServers ""

This command uses the Add-DnsClientNrptRule cmdlet to add a new rule for the “.ymbihq.local” namespace. The -Namespace parameter specifies the domain name for the rule, and the -NameServers parameter specifies the IP address of the DNS server that should be used for queries within this namespace.

In this instance, we’re setting a rule for any DNS queries under the “.ymbihq.local” domain to be resolved by the DNS server at the IP address This can be especially useful in an enterprise environment where you have custom internal domains to be resolved by specific DNS servers.

Reviewing DNS Client NRPT Rules

After adding a rule, it’s essential to verify it. We can do this using the Get-DnsClientNrptRule command:

# get the list of rules

This command lists all the NRPT rules currently set on the machine. It will output the unique identifiers, names, namespaces, and other details for each rule. Here’s a sample output:

# Sample output:
Name                             : {A7CCF814-7492-4019-9FB1-27F61327AE93}
Version                          : 2
Namespace                        : {.ymbihq.local}
IPsecCARestriction               :
DirectAccessDnsServers           :
DirectAccessEnabled              : False
DirectAccessProxyType            :
DirectAccessProxyName            :
DirectAccessQueryIPsecEncryption :
DirectAccessQueryIPsecRequired   :
NameServers                      :
DnsSecEnabled                    : False
DnsSecQueryIPsecEncryption       :
DnsSecQueryIPsecRequired         :
DnsSecValidationRequired         :
NameEncoding                     : Disable
DisplayName                      :
Comment                          :

From this output, you can see various properties of the rule we’ve just added for the “.ymbihq.local” namespace, such as its unique identifier (Name) and the nameserver it’s associated with (NameServers).

Removing a DNS Client NRPT Rule

The final part of this block of code is dedicated to rule removal:

# remove the rule
Remove-DnsClientNrptRule -Name "{A7CCF814-7492-4019-9FB1-27F61327AE93}"

Here, we use the Remove-DnsClientNrptRule cmdlet with the -Name parameter followed by the unique identifier of the rule we wish to remove. After running this command, PowerShell will prompt you for confirmation before deleting the rule.

The process looks like this:

Removing NRPT rule for namespace .ymbihq.local with
 DAEnable: Disabled,
 DnsSecValidationRequired: Disabled,
 NameEncoding: Disable
 Do you want to continue?
[Y] Yes  [N] No

Avui ja n’he fet 20

Aprofito aquesta entrada per comentar una nova efemèride s’ha produït avui mateix. Ja que després de 46 anys menys dos dies he visitat de nou l’hospital on vaig néixer. Aquest cop per fer-me unes radiografies a les cervicals. Qui ho havia de dir?

Deploying gotop with Ansible

Gotop is a terminal based graphical activity monitor inspired by gtop and vtop; it’s available at:

I published a role in Ansible Galaxy for deploying gotop in Linux servers. The role page in Ansible Galaxy is at:

Role installation command and deployment command:

ansible-galaxy install oriolrius.install_gotop

# change SERVER_IP, for the IP address where you want to deploy gotop
ansible -i SERVER_IP, -u root -m include_role -a name=oriolrius.install_gotop all

Get the IP addresses of local Docker containers

We have docker running and the containers have their own private network, thanks to this command we’re going to get the private IP address of all of them:

$ sudo docker inspect $(docker ps -q ) \
--format='{{ printf "%-50s" .Name}} {{range .NetworkSettings.Networks}}{{.IPAddress}} {{end}}'

OpenSSH public key fingerprint

Quick and easy, how to get the fingerprint of your SSH RSA key.

# syntax:
openssl pkey -in PATH/PRIVATE_RSA_KEY -pubout -outform DER | openssl md5 -c

# example:
$ openssl pkey -in ~/.ssh/id_rsa -pubout -outform DER | openssl md5 -c
MD5(stdin)= a6:26:23:d9:c1:d3:d5:e5:c0:38:ab:3c:c1:6a:3f:ea