User profile for user: Community User
Community User Author

iphone 13 dns issue sinds september 2022

Bit of a long story, so bear with me.


Customer of ours use their Iphone 13s to access camera feed via a recorder device.

They have their app connect to a device using a dns name.

The cisco asa on their premises has a port mapping which doctors their request when they try to access the video feed, if they are behind the firewall (at home).

The dns name obviously resolves to a public ip address, which is routed to the firewall.

If the firewall notices that the request for access is originated from an inside network, instead of the public ip address, it will return the private ip address of the recorder device, so traffic doesn't have to leave the local network.


As of September last year, this stopped working for their Iphone 13s. I went to their home and my own Iphone 7 has no problem whatsoever.

I installed a command line tool (LibTerm) on both my and 1 of their phone, and could see what went wrong went I tried to ping the dns name for the recorder.

My phone returned the internal ip address, their phone the public ip address.


No changes were made on the firewall last year. Upgraded the firewall to it's latest software, no difference.

So it looks to me like an update changed something on their iphones which results in this unwanted behaviour.

Does anybody have an idea on how to fix this?

Posted on Feb 1, 2023 3:14 AM

Reply
Question marked as Top-ranking reply
User profile for user: Dogcow-Moof
Dogcow-Moof
User level: Level 8
36,851 points

Posted on Feb 2, 2023 2:05 AM

Note that there is another possibility; Safari on iOS (since iOS 14) now follows the draft RFC that will ask DNS servers for a type 65 HTTPS record and will preferentially use that to an A or AAAA record.


If the Cisco does not rewrite type 65 requests, the record for the external host from Google will be used instead of the rewritten A or AAAA record that the firewall theoretically returns.


If you have access to a system that should be seeing the internal address, you can try doing a:


dig -t TYPE65 <camera hostname>


and check for a NOERROR rather than NXDOMAIN response.


If the Cisco doesn't recognize/rewrite type 65 requests and just passes them upstream, requests may just be forwarded upstream resulting in the behavior you see.
View in context

Similar questions

7 replies
Question marked as Top-ranking reply
User profile for user: Dogcow-Moof
Dogcow-Moof
User level: Level 8
36,851 points

Feb 2, 2023 2:05 AM in response to Community User

Note that there is another possibility; Safari on iOS (since iOS 14) now follows the draft RFC that will ask DNS servers for a type 65 HTTPS record and will preferentially use that to an A or AAAA record.


If the Cisco does not rewrite type 65 requests, the record for the external host from Google will be used instead of the rewritten A or AAAA record that the firewall theoretically returns.


If you have access to a system that should be seeing the internal address, you can try doing a:


dig -t TYPE65 <camera hostname>


and check for a NOERROR rather than NXDOMAIN response.


If the Cisco doesn't recognize/rewrite type 65 requests and just passes them upstream, requests may just be forwarded upstream resulting in the behavior you see.
Reply
User profile for user: LD150
LD150
User level: Level 10
103,302 points

Feb 1, 2023 3:47 AM in response to Community User

Look for differences in the way that the 7 and the 13 are set up in Wi-Fi

Try turning off Private Address in the wifi settings on the iPhone.

Does anyone have an iPhone 13 still on iOS15? iOS16 had more advanced security.

Anyone using VPN? App store VPNs can cause havoc. Corporate VPNs should cope but not always.

In the end you may have to rethink the setup if the problem is repeated along lines of iOS15 vs iOS16


Reply
User profile for user: Dogcow-Moof
Dogcow-Moof
User level: Level 8
36,851 points

Feb 2, 2023 2:26 AM in response to Community User

Note the type 65 DNS lookup was found to break DNS filtering on many "safe browsing" products and open source utilities like dnsmasq had to be modified to deal with it, again meaning your Cisco might not support it or might require a firmware update to do so.


I know this gets a bit complex, but the bottom line is for many filtering/rewriting scenarios, because the request isn't an A or AAAA the request gets sent upstream and public data is returned rather than the rewritten private data desired.


I don't know which version of iOS your iPhone 7 is running, but this change was made in iOS 14 and macOS 11 Big Sur.



Reply
User profile for user: Dogcow-Moof
Dogcow-Moof
User level: Level 8
36,851 points

Feb 2, 2023 1:31 AM in response to Community User

OK, then the next thing to check is whether the Cisco ever sees a DNS request come in from the iPhone for the camera's hostname and what it returns as the answer.


  • If it doesn't see it, someone else is intercepting the response and is returning cached data instead.
  • If it does see it, is it responding with the proper address for a host behind the firewall? If not, why doesn't the Cisco recognize it?


Your user also might want to try toggling Airplane Mode on their iPhone, as that will clear the iPhone's local DNS cache.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

iphone 13 dns issue sinds september 2022

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up