Android Devices Unable to Reach Internal Resources Via Cato


On Android Devices, users aren't able to reach internal resources when connected to Cato


  • Android v9 and above
  • Cato SDP Client regardless of the version
  • DNS forwarding configured for internal domains

The Problem

This issue may be related to Private DNS on Android. The feature is enabled by default in version 9 and above and uses a secure channel to connect to the DNS server if the server supports it.

By default, Private DNS is set to "Automatic" which means it uses the network-specified (WiFi adapter) DNS server and it attempts a TLS connection (DNSSEC) to port 853 before falling back to UDP on port 53.

Cato doesn't intercept DNSSEC queries, DNS forwarding fails and the user isn't able to reach internal resources or the DNS results being retrieved aren't the expected ones.


The Solution

The following solutions can be implemented:

1. Block DNS over HTTP and DNS over TLS in a Firewall rule to prevent DNSSEC to be reachable via Cato. This will force Android to switch to UDP-based DNS which will allow DNS forwarding.

2. It may still be possible for the device to try to reach the network-specified DNS server via UDP/53 to which Cato does not apply DNS forwarding. If that's the case, disable Private DNS on the device. Go to Settings > Network and Internet (or equivalent) on your Android device and turn Private DNS off.

Was this article helpful?

1 out of 1 found this helpful


Add your comment