Issue
On Android Devices, users aren't able to reach internal resources when connected to Cato
Environment
- Android v9 and above
- Cato SDP Client regardless of the version
- DNS forwarding configured for internal domains
The Problem
This issue may be related to Android's private DNS. The feature is enabled by default in version 9 and above and uses a secure channel to connect to the DNS server if the server supports it.
By default, Private DNS is set to "Automatic", which means it uses the network-specified (WiFi adapter) DNS server, and it attempts a DoT (DNS over TLS) connection over port 853 before falling back to UDP-based DNS on port 53.
Cato doesn't intercept DoT queries, DNS forwarding fails, and the user can't reach internal resources or the retrieved DNS results aren't the expected ones.
The Solution
The following solutions can be implemented:
1. Block DoH (DNS over HTTP) and DNS over TLS in a Firewall rule to prevent these protocols from being reachable via Cato. This will force Android to switch to UDP-based DNS, allowing DNS forwarding.
2. The device may still try to reach the network-specified DNS server via UDP/53, to which Cato does not apply DNS forwarding. If that's the case, disable Private DNS on the device. Go to Settings > Network and Internet (or equivalent) on your Android device and turn Private DNS off.
0 comments
Please sign in to leave a comment.