Issue
On Android Devices, users aren't able to reach internal resources when connected to Cato
Environment
- Android v9 and above
- Cato SDP Client regardless of the version
- DNS forwarding configured for internal domains
The Problem
This issue may be related to Private DNS on Android. The feature is enabled by default in version 9 and above and uses a secure channel to connect to the DNS server if the server supports it.
By default, Private DNS is set to "Automatic" which means it uses the network-specified (WiFi adapter) DNS server and it attempts a TLS connection (DNSSEC) to port 853 before falling back to UDP on port 53.
Cato doesn't intercept DNSSEC queries, DNS forwarding fails and the user isn't able to reach internal resources or the DNS results being retrieved aren't the expected ones.
The Solution
The following solutions can be implemented:
1. Block DoH (DNS over HTTP) and DNS over TLS in a Firewall rule to prevent DNSSEC to be reachable via Cato. This will force Android to switch to UDP-based DNS which will allow DNS forwarding.
2. It may still be possible for the device to try to reach the network-specified DNS server via UDP/53 to which Cato does not apply DNS forwarding. If that's the case, disable Private DNS on the device. Go to Settings > Network and Internet (or equivalent) on your Android device and turn Private DNS off.
0 comments
Please sign in to leave a comment.