d3nnis.c

Q: cannot access .local domain/intranet site when connected to the VPN after the IOS 8 update.

After updating to IOS 8. I can no longer access .local sites in our intranet.

 

eg. site.domain.local.

 

I am using the integrated VPN Cisco client. I can access the Sites using the IP address.

 

I have tested it with Safari, Chrome and Skyfire. With the Scany - network scanner I cannot lookup the hostname using the full DNS suffix as stated above.

 

I have also tested with different iPhone and iPads. IOS 7 is still working fine.

 

Anybody else having these problems? I know with IOS 6 there was the same problem and it was solved with the next update.

Posted on Sep 23, 2014 6:52 AM

Close

Q: cannot access .local domain/intranet site when connected to the VPN after the IOS 8 update.

  • All replies
  • Helpful answers

Previous Page 2 of 7 last Next
  • by davidenco,

    davidenco davidenco Sep 30, 2014 4:30 AM in response to Vktor
    Level 1 (0 points)
    Sep 30, 2014 4:30 AM in response to Vktor

    I have tried connecting my phone to iPCU 3.6.2 to see if I can see what's happening when the VPN connects by looking at the "console" tab. However when my phone is connected to my workstation, the "console" tab simply says "==== Attached at 22/09/2014 11:08:00 ====" and nothing else. Usually when I connect my phone it displays tons of stuff, at least it does when I connect an iOS 7 device.

     

    So it looks like iPCU is incompatible with iOS 8, unless anyone else is able to get this working themselves? Both PC and phone have been rebooted.

     

    In addition I cannot install the VPN profile that Apple ask you to install when reporting VPN bugs - I downloaded and imported it into iPCU 3.6.2, the install button appears but when I click it nothing happens. It asks me to unlock my phone as expected, but even when my phone is unlocked and I click "install", nothing happens in iPCU or on the device.

     

    https://bugreport.apple.com/download/instructions/VPN.mobileconfig

     

    I'm not surprised that Apple have not responded or acknowledged this problem yet and do not expect them to either. It must be an Apple thing. I reported this issue via the bug reporter over a week ago and it's still "open". I have also reported issues in the past that I'm still waiting to be fixed despite being promised they will be addressed. Still waiting too.

  • by clemensg,

    clemensg clemensg Sep 30, 2014 4:56 AM in response to davidenco
    Level 1 (0 points)
    Sep 30, 2014 4:56 AM in response to davidenco

    I created a bug report at radar.apple.com too. Mine is also still "Open". I would suggest that everybody with a developer account creates a bug report, describing his problem. Usually Apple responds to bug reports, but I am not so sure about the community forums.

    If you do not have a developer account, just use the iPhone feedback form and describe your problem there.

     

    The problem seems to be that iOS 8 considers every .local (and maybe also every .lan) domain as Bonjour/Zeroconf hostnames and therefore sends out Multicast DNS queries instead of asking the DNS server (received via DHCP or set statically).

    They should at least do both, because many companies use .local domains for LAN services.


    What bothers me the most, is that this bug occurred already three times in the history of iOS.

    Dear Apple engineers, there is a technique called "regression testing" to avoid introducing the same bugs over and over again..

  • by Akademuk,

    Akademuk Akademuk Oct 3, 2014 4:48 AM in response to clemensg
    Level 1 (0 points)
    Oct 3, 2014 4:48 AM in response to clemensg

    The same problem, simple actions to verify problem: connect to VPN server, run utility like a "Free Ping", ping "slatter.local" and you will see result of resolving (0.0.0.0). It's very serious fault for our employees and generally workflows.

    I agree with "Dear Apple engineers, there is a technique called "regression testing" to avoid introducing the same bugs over and over again.." - it's epic fail...

  • by shiggins80,

    shiggins80 shiggins80 Oct 3, 2014 10:53 AM in response to Akademuk
    Level 1 (0 points)
    Oct 3, 2014 10:53 AM in response to Akademuk

    Yes, same problem. DNS isn't working correctly. Everything is accessible via IP address.

  • by oktss,

    oktss oktss Oct 9, 2014 12:20 AM in response to d3nnis.c
    Level 1 (0 points)
    Oct 9, 2014 12:20 AM in response to d3nnis.c

    Has been resolved .

     

    DNS server is windows AD server.

     

    I  create a "local" zone in the DNS Manager

     

    Only this one.

     

    This is the answer from AppleCare Help Desk Support.

  • by dehsgr,

    dehsgr dehsgr Oct 9, 2014 12:29 AM in response to oktss
    Level 1 (0 points)
    Oct 9, 2014 12:29 AM in response to oktss

    I cannot confirm solution to create a .local domain. Within our DNS Infrastructure .local already exists...

  • by clemensg,

    clemensg clemensg Oct 9, 2014 1:02 AM in response to oktss
    Level 1 (0 points)
    Oct 9, 2014 1:02 AM in response to oktss

    That's not a solution.. it's a precondition for the error. We have a .local zone and iOS 8 can no longer access it.. all versions before were fine. So it is definitely not a DNS server issue. It's a bug in the iOS 8 network stack.

  • by Vktor,

    Vktor Vktor Oct 9, 2014 4:37 AM in response to oktss
    Level 1 (0 points)
    Oct 9, 2014 4:37 AM in response to oktss

    Resolved? Or trying to work around???

     

    Before the update everything was fine, other computers with various OS are fine using the same domain DNS. I even tried changing the DNS servers from the wireless interface and nothing.

     

    I wish it is recognize as a bug not an user error and someone works on it and release a fix as soon as possible. My device went from a business tool to a music player. All the other 17 devices I have and I didn't update are working fine, resolving local names. Again the issue is not about a .local domain, it is about resolving any local names from any domain.

  • by clemensg,

    clemensg clemensg Oct 9, 2014 5:02 AM in response to Vktor
    Level 1 (0 points)
    Oct 9, 2014 5:02 AM in response to Vktor

    Ah ok, I see. So if you define let's say your company's web server domain to an internal IP address, that does not work either..

     

    So it's not only an issue with Multicast DNS when you resolve .local domains, maybe in the case of Unicast DNS, they do not honor the DNS server received via DHCP and always use one of their own DNS servers? Because on my device, external domains, for example www.google.com, do get resolved just fine.

     

    This would be a violation of RFC standards, as far as I know. The device should always ask the local DNS server first..

     

    Vktor: If you do a packet capture on your network, do you see any DNS requests coming out ? If yes, where to?

  • by Vktor,

    Vktor Vktor Oct 9, 2014 5:14 AM in response to clemensg
    Level 1 (0 points)
    Oct 9, 2014 5:14 AM in response to clemensg

    Any external domain gets resolved and I can ping the local network IPs when the VPN is up. However I cannot resolve any names from the local network, not even assigning a static IP and DNS to the iPad's wireless interface.

     

    I will try to capture packages. Earlier I was trying to explain that is not about the ".local" domain names, it is about any local domains. The VPN connects, I can ping the local IPs for any device across the VPN, including the domain servers.

  • by Philcanuck,

    Philcanuck Philcanuck Oct 9, 2014 10:35 AM in response to Vktor
    Level 1 (0 points)
    Oct 9, 2014 10:35 AM in response to Vktor

    I can confirm that the issue is in fact with .local domains, and not an issue with the iPad ignoring local DNS.  I use a split-DNS setup for my mail server (internal clients resolve to private IP, external resolve to public) and my iPad resolved mail.[myinternetdomain].org correctly.  While attached to VPN or directly attached to the LAN it resolves to the private IP, meaning it is correctly querying local DNS and not some mysterious external server.  The issue is that it ignores local DNS for .local domains as detailed in previous posts.

  • by Vktor,

    Vktor Vktor Oct 9, 2014 11:10 AM in response to Philcanuck
    Level 1 (0 points)
    Oct 9, 2014 11:10 AM in response to Philcanuck

    I'm sorry Philcanuck, I do not agree with you. Because you are getting a local IP from an external domain it does not mean local names are being resolved. If you create a domain for example called "mynetwork.org" and you don't link that domain with an external IP, or basically you just keep that domain local to be accessed with a VPN only, the iPad/ iPhone will not resolve the local names if it was upgraded to iOS 8 or later. Without changing anything, iPads or iPhones with iOS 7x will work fine.

     

    Again, it is not about ".local" domains and it is not about a misconfiguration on the local DNS servers. Any computer, PC/Mac, connected to the VPN is able to ping local names after resolving the name; iPads/iPhones with iOS 7x will resolve the local names through the VPN and ping the local IPs as the computers will do without changing anything. Just upgrade to iOS 8x and it will quit working.

  • by Philcanuck,

    Philcanuck Philcanuck Oct 9, 2014 12:17 PM in response to Vktor
    Level 1 (0 points)
    Oct 9, 2014 12:17 PM in response to Vktor

    Yes, I am talking about a device that is currently running iOS 8.0.2.  It will resolve all but .local domains. 

     

    Split DNS is a technique used to point Exchange clients to a private IP address without throwing a certificate error, i.e. clients accessing any non-internal DNS server will pull the public IP of the server, but WAN and VPN clients will pull private.  I'm fully aware that I could register a domain and set DNS to point at a private IP address as you suggest.  That is not what is happening here.

     

    In the case of my iPad here, running 8.0.2, I am confirming definitively that it is using the internal DNS servers as provided by my DHCP server.  When connected to VPN, my iPad resolves the IP address of our Exchange server as the private IP.  This can only happen if the iPad is querying my internal DNS servers.  Any other DNS server in the world would return the public IP.

     

    So the iPad is resolving against the correct DNS servers but will not resolve a .local domain.  When attached to local WiFi, I can add a search domain of mydomain.local and everything works fine.  This does not work over VPN, however.

     

    This is a confirmed bug in several older versions of iOS.

  • by Pete boston,

    Pete boston Pete boston Oct 9, 2014 4:58 PM in response to Philcanuck
    Level 1 (20 points)
    Oct 9, 2014 4:58 PM in response to Philcanuck

    I investigated this with Apple since our customers were reporting it and have learned this is a feature of iOS 8, albeit one not documented.

     

    Below is the conclusion;

     

    DNS will no longer work with .local domains which do not advertise a SOA record.

     

    In iOS 8 that a DNS server must advertise a SOA record for the .local domain in order for iOS to resolve .local hostnames against the DNS server.

     

    If you are asserting ownership over the ".local" top-level-domain, then you must be advertising a start-of-authority record for that domain.  It is a mis-configuration not to have a SOA record.  Apple permits it with the "local" SOA in iOS 8 for backward-compatibility with Active Directory.

  • by shiggins80,

    shiggins80 shiggins80 Oct 10, 2014 5:55 AM in response to Pete boston
    Level 1 (0 points)
    Oct 10, 2014 5:55 AM in response to Pete boston

    Looks like SOA is setup and working correctly, and this only happens when connected to VPN. When I'm on the corporate wireless, everything seems to search correctly and I can connect to my internal resources.

Previous Page 2 of 7 last Next