On macOS Ventura and iOS devices, users aren't able to reach internal resources when connected to Cato
- macOS Ventura 13.0 or later
- iPhone iOS 16 or later
- Cato SDP Client regardless of the version
- DNS forwarding configured for internal domains
If Cato DNS settings applied to SDP users are default (empty fields), Cato will push to the client the following DNS information:
- Primary DNS server 10.254.254.1
- Secondary DNS server 188.8.131.52
Based on Cato's tests, when the account is configured as above or using a known public DNS server (such as 184.108.40.206 or 220.127.116.11), macOS/iOS are likely to prefer DNSSEC (such as DNS over HTTPS which Cato currently does not support) for name resolution toward the configured public DNS server.
Once macOS/iOS sees a DNS server compliant with DNSSEC, it will ignore any other DNS server including Cato's DNS Server IP. Further information can be found in this Apple discussion.
Since Cato PoPs don't support DNS forwarding for DNSSEC packets, DNS forwarding fails and the user isn't able to reach internal resources or the DNS results being retrieved aren't the expected ones.
The preferred DNS servers on the machine can be identified by running <scutil --dns>. In the following output, the DNS server 18.104.22.168 is preferred as the primary DNS by macOS.
MacBook-Air-2:~ xx$ scutil --dns
nameserver : 22.214.171.124
nameserver : 10.254.254.1
if_index : 24 (utun8)
flags : Supplemental, Request A records
reach : 0x00000003 (Reachable,Transient Connection)
order : 101200
Be aware that when DNS settings between entities conflict, the entity closest to the host (from host > site > group > account) takes precedence. For more information see: Configuring DNS Settings
This is a known issue that Apple is actively working on. The following workarounds can be implemented at Cato:
1. Block DNS over HTTPS and DNS over TLS in a Firewall rule to prevent DNSSEC to be reachable via Cato. This will force macOS/iOS to switch to Cato's default DNS server 10.254.254.1 over UDP-based DNS which will allow DNS forwarding.
2. Set 10.254.254.1 as the only DNS server EXPLICITLY in CMA. This will prevent 126.96.36.199 (or any other DNSSEC-supported DNS) from being set as a DNS server on the client and will force ALL DNS queries to go to Cato.
The DNS server can be set globally or per group, preferably the pre-configured 'All SDP Users' user group. For more information see: Customizing DNS Servers and Suffixes for Groups or User Groups