Wed Jul 21, 2021 11:45 am
It is becoming more and more common to have "DNS rebind protection" that is filtering DNS replies to queries outside your LAN domain but returning a LAN or loopback address.
I don't know if Apple implements that in their devices. There are routers that implement it in their DNS resolvers. Of course in that case not for static entries, but e.g. when your LAN range is 192.168.88.0/24 and you would query a name like "server.example.com" via the resolver in the router, and the external DNS replies with "IN A 192.168.88.10" that reply would be dropped. For good reasons, as such setups can be used to attack your internal network.
However, RouterOS does not have this feature.
But, it could be that Apple has it in their software as well. Maybe it works when your DNS server sets the proper local domain (in this case mydomain) and so the devices, when doing their DHCP request, know that the local domain is mydomain and then expect names like myhost.mydomain to be in the local network.
Another issue, which affects Google devices, is that sometimes even when you have configured a local DNS server they still access other DNS servers (in that case 8.8.8.8 and 8.8.4.4) for some queries. You can subvert that by setting a dst-nat for DNS queries to other addresses than your router, and redirecting them to your router.
But that still isn't sufficient because now devices are switching to DoT and, even worse, DoH. Once that is more common, it will be no longer possible to use local static DNS entries.
It is advised to register "mydomain" (I presume this is just a placeholder) in Internet DNS and put the values on an Internet-hosted DNS server instead of in your router. However, that still does not solve the "DNS rebind protection" issue.