macOS Ventura Users Unable to Reach Internal Resources Via Cato


On macOS Ventura, users aren't able to reach internal resources when connected to Cato


  • macOS Ventura 13.0 and above
  • Cato SDP Client regardless of the version
  • DNS forwarding configured for internal domains

The Problem

If Cato DNS settings applied to SDP users are default (empty fields), Cato will push to the client the following DNS information:

  • Primary DNS server
  • Secondary DNS server

macOS Ventura natively prefers DNSSEC which Cato does not currently support. Once macOS sees a DNS server compliant with DNSSEC, it will ignore all the rest – including Cato. This can be a public server that supports DNSSEC, such as, or a local server that is configured for DNSSEC. Further information can be found in this Apple discussion.

The preferred DNS servers on the machine can be identified by running <scutil --dns>. In the following output, the DNS server is preferred as the primary DNS by macOS.

MacBook-Air-2:~ xx$ scutil --dns 
DNS configuration

resolver #1
nameserver[0] :
nameserver[1] :
if_index : 24 (utun8)
flags : Supplemental, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
order : 101200

The issue may also occur with any other DNS server configured for the account that supports DNSSEC. For example, Be aware that when DNS settings between entities conflict, the entity closest to the host (from host > site > group > account) takes precedence. For more information see: Configuring DNS Settings

Since Cato doesn't intercept DNSSEC queries, DNS forwarding fails and the user isn't able to reach internal resources or the DNS results being retrieved aren't the expected ones.


The Solution

This is a known issue that Apple is actively working on. The following workarounds can be implemented in the meantime:

1. Block DNS over HTTP and DNS over TLS in a Firewall rule to prevent DNSSEC to be reachable via Cato. This will force macOS to switch to Cato's default DNS server over UDP-based DNS which will allow DNS forwarding.

2. Set as the only DNS server EXPLICITLY in CMA. This will prevent (or any other DNSSEC-supported DNS) from being set as a DNS server on the client and will force ALL DNS queries to go to Cato.

The DNS server can be set globally or per group, preferably the pre-configured 'All SDP Users' user group. For more information see: Customizing DNS Servers and Suffixes for Groups or User Groups




Was this article helpful?

1 comment

  • Comment author
    John Hawkins

    Can you please update this article when you support DNSSEC or apple fix is in play.

Add your comment