Issue
On macOS Ventura and iOS devices, users aren't able to reach internal resources when connected to Cato
Environment
- macOS Ventura 13.0 or later
- iPhone iOS 16 or later
- Cato SDP Client regardless of the version
- DNS forwarding configured for internal domains
Reason
If Cato DNS settings applied to SDP users are default (empty fields), Cato will push to the client the following DNS information:
- Primary DNS server 10.254.254.1
- Secondary DNS server 8.8.8.8
Based on Cato's tests, when the account is configured as above or using a known public DNS server (such as 8.8.8.8 or 1.1.1.1), macOS/iOS are likely to prefer DNSSEC (such as DNS over HTTPS which Cato currently does not support) for name resolution toward the configured public DNS server.
Once macOS/iOS sees a DNS server compliant with DNSSEC, it will ignore any other DNS server including Cato's DNS Server IP. Further information can be found in this Apple discussion.
Since Cato PoPs don't support DNS forwarding for DNSSEC packets, DNS forwarding fails and the user isn't able to reach internal resources or the DNS results being retrieved aren't the expected ones.
The preferred DNS servers on the machine can be identified by running <scutil --dns>. In the following output, the DNS server 8.8.8.8 is preferred as the primary DNS by macOS.
MacBook-Air-2:~ xx$ scutil --dns
DNS configuration
resolver #1
nameserver[0] : 8.8.8.8
nameserver[1] : 10.254.254.1
if_index : 24 (utun8)
flags : Supplemental, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
order : 101200
Be aware that when DNS settings between entities conflict, the entity closest to the host (from host > site > group > account) takes precedence. For more information see: Configuring DNS Settings
Solution
This is a known issue that Apple is actively working on. The following workarounds can be implemented at Cato:
1. Block DoH (DNS over HTTPS) and DNS over TLS in a Firewall rule to prevent DNSSEC to be reachable via Cato. This will force macOS/iOS to switch to Cato's default DNS server 10.254.254.1 over UDP-based DNS which will allow DNS forwarding.
2. Set 10.254.254.1 as the only DNS server EXPLICITLY in CMA. This will prevent 8.8.8.8 (or any other DNSSEC-supported DNS) from being set as a DNS server on the client and will force ALL DNS queries to go to Cato.
The DNS server can be set globally or per group, preferably the pre-configured 'All SDP Users' user group. For more information see: Centralized Management of SDP User DNS Settings
2 comments
Can you please update this article when you support DNSSEC or apple fix is in play.
When do they support DNSSEC?
Please sign in to leave a comment.