On macOS Ventura, users aren't able to reach internal resources when connected to Cato
- macOS Ventura 13.0 and above
- Cato SDP Client regardless of the version
- DNS forwarding configured for internal domains
If Cato DNS settings applied to SDP users are default (empty fields), Cato will push to the client the following DNS information:
- Primary DNS server 10.254.254.1
- Secondary DNS server 220.127.116.11
macOS Ventura natively prefers DNSSEC which Cato does not currently support. Once macOS sees a DNS server compliant with DNSSEC, it will ignore all the rest – including Cato. This can be a public server that supports DNSSEC, such as 18.104.22.168, or a local server that is configured for DNSSEC. Further information can be found in this Apple discussion.
The preferred DNS servers on the machine can be identified by running <scutil --dns>. In the following output, the DNS server 22.214.171.124 is preferred as the primary DNS by macOS.
MacBook-Air-2:~ xx$ scutil --dns
nameserver : 126.96.36.199
nameserver : 10.254.254.1
if_index : 24 (utun8)
flags : Supplemental, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
order : 101200
The issue may also occur with any other DNS server configured for the account that supports DNSSEC. For example, 188.8.131.52. Be aware that when DNS settings between entities conflict, the entity closest to the host (from host > site > group > account) takes precedence. For more information see: Configuring DNS Settings
Since Cato doesn't intercept DNSSEC queries, DNS forwarding fails and the user isn't able to reach internal resources or the DNS results being retrieved aren't the expected ones.
This is a known issue that Apple is actively working on. The following workarounds can be implemented in the meantime:
1. Block DNS over HTTP and DNS over TLS in a Firewall rule to prevent DNSSEC to be reachable via Cato. This will force macOS to switch to Cato's default DNS server 10.254.254.1 over UDP-based DNS which will allow DNS forwarding.
2. Set 10.254.254.1 as the only DNS server EXPLICITLY in CMA. This will prevent 184.108.40.206 (or any other DNSSEC-supported DNS) from being set as a DNS server on the client and will force ALL DNS queries to go to Cato.
The DNS server can be set globally or per group, preferably the pre-configured 'All SDP Users' user group. For more information see: Customizing DNS Servers and Suffixes for Groups or User Groups