cannot access .local domain/intranet site when connected to the VPN after the IOS 8 update.

I have tried connecting my phone to iPCU 3.6.2 to see if I can see what's happening when the VPN connects by looking at the "console" tab. However when my phone is connected to my workstation, the "console" tab simply says "==== Attached at 22/09/2014 11:08:00 ====" and nothing else. Usually when I connect my phone it displays tons of stuff, at least it does when I connect an iOS 7 device.

So it looks like iPCU is incompatible with iOS 8, unless anyone else is able to get this working themselves? Both PC and phone have been rebooted.

In addition I cannot install the VPN profile that Apple ask you to install when reporting VPN bugs - I downloaded and imported it into iPCU 3.6.2, the install button appears but when I click it nothing happens. It asks me to unlock my phone as expected, but even when my phone is unlocked and I click "install", nothing happens in iPCU or on the device.

https://bugreport.apple.com/download/instructions/VPN.mobileconfig

I'm not surprised that Apple have not responded or acknowledged this problem yet and do not expect them to either. It must be an Apple thing. I reported this issue via the bug reporter over a week ago and it's still "open". I have also reported issues in the past that I'm still waiting to be fixed despite being promised they will be addressed. Still waiting too. 😟

I created a bug report at radar.apple.com too. Mine is also still "Open". I would suggest that everybody with a developer account creates a bug report, describing his problem. Usually Apple responds to bug reports, but I am not so sure about the community forums.

If you do not have a developer account, just use the iPhone feedback form and describe your problem there.

The problem seems to be that iOS 8 considers every .local (and maybe also every .lan) domain as Bonjour/Zeroconf hostnames and therefore sends out Multicast DNS queries instead of asking the DNS server (received via DHCP or set statically).

They should at least do both, because many companies use .local domains for LAN services.

What bothers me the most, is that this bug occurred already three times in the history of iOS.

Dear Apple engineers, there is a technique called "regression testing" to avoid introducing the same bugs over and over again.. 😠

The same problem, simple actions to verify problem: connect to VPN server, run utility like a "Free Ping", ping "slatter.local" and you will see result of resolving (0.0.0.0). It's very serious fault for our employees and generally workflows.

I agree with "Dear Apple engineers, there is a technique called "regression testing" to avoid introducing the same bugs over and over again.." - it's epic fail...

Yes, same problem. DNS isn't working correctly. Everything is accessible via IP address.

Has been resolved .

DNS server is windows AD server.

I create a "local" zone in the DNS Manager

Only this one.

This is the answer from AppleCare Help Desk Support.

I cannot confirm solution to create a .local domain. Within our DNS Infrastructure .local already exists...

That's not a solution.. it's a precondition for the error. We have a .local zone and iOS 8 can no longer access it.. all versions before were fine. So it is definitely not a DNS server issue. It's a bug in the iOS 8 network stack.

Resolved? Or trying to work around???

Before the update everything was fine, other computers with various OS are fine using the same domain DNS. I even tried changing the DNS servers from the wireless interface and nothing.

I wish it is recognize as a bug not an user error and someone works on it and release a fix as soon as possible. My device went from a business tool to a music player. All the other 17 devices I have and I didn't update are working fine, resolving local names. Again the issue is not about a .local domain, it is about resolving any local names from any domain.

Ah ok, I see. So if you define let's say your company's web server domain to an internal IP address, that does not work either..

So it's not only an issue with Multicast DNS when you resolve .local domains, maybe in the case of Unicast DNS, they do not honor the DNS server received via DHCP and always use one of their own DNS servers? Because on my device, external domains, for example www.google.com, do get resolved just fine.

This would be a violation of RFC standards, as far as I know. The device should always ask the local DNS server first..

Vktor: If you do a packet capture on your network, do you see any DNS requests coming out ? If yes, where to?

Any external domain gets resolved and I can ping the local network IPs when the VPN is up. However I cannot resolve any names from the local network, not even assigning a static IP and DNS to the iPad's wireless interface.

I will try to capture packages. Earlier I was trying to explain that is not about the ".local" domain names, it is about any local domains. The VPN connects, I can ping the local IPs for any device across the VPN, including the domain servers.

I can confirm that the issue is in fact with .local domains, and not an issue with the iPad ignoring local DNS. I use a split-DNS setup for my mail server (internal clients resolve to private IP, external resolve to public) and my iPad resolved mail.[myinternetdomain].org correctly. While attached to VPN or directly attached to the LAN it resolves to the private IP, meaning it is correctly querying local DNS and not some mysterious external server. The issue is that it ignores local DNS for .local domains as detailed in previous posts.

I'm sorry Philcanuck, I do not agree with you. Because you are getting a local IP from an external domain it does not mean local names are being resolved. If you create a domain for example called "mynetwork.org" and you don't link that domain with an external IP, or basically you just keep that domain local to be accessed with a VPN only, the iPad/ iPhone will not resolve the local names if it was upgraded to iOS 8 or later. Without changing anything, iPads or iPhones with iOS 7x will work fine.

Again, it is not about ".local" domains and it is not about a misconfiguration on the local DNS servers. Any computer, PC/Mac, connected to the VPN is able to ping local names after resolving the name; iPads/iPhones with iOS 7x will resolve the local names through the VPN and ping the local IPs as the computers will do without changing anything. Just upgrade to iOS 8x and it will quit working.

Yes, I am talking about a device that is currently running iOS 8.0.2. It will resolve all but .local domains.

Split DNS is a technique used to point Exchange clients to a private IP address without throwing a certificate error, i.e. clients accessing any non-internal DNS server will pull the public IP of the server, but WAN and VPN clients will pull private. I'm fully aware that I could register a domain and set DNS to point at a private IP address as you suggest. That is not what is happening here.

In the case of my iPad here, running 8.0.2, I am confirming definitively that it is using the internal DNS servers as provided by my DHCP server. When connected to VPN, my iPad resolves the IP address of our Exchange server as the private IP. This can only happen if the iPad is querying my internal DNS servers. Any other DNS server in the world would return the public IP.

So the iPad is resolving against the correct DNS servers but will not resolve a .local domain. When attached to local WiFi, I can add a search domain of mydomain.local and everything works fine. This does not work over VPN, however.

This is a confirmed bug in several older versions of iOS.

I investigated this with Apple since our customers were reporting it and have learned this is a feature of iOS 8, albeit one not documented.

Below is the conclusion;

DNS will no longer work with .local domains which do not advertise a SOA record.

In iOS 8 that a DNS server must advertise a SOA record for the .local domain in order for iOS to resolve .local hostnames against the DNS server.

If you are asserting ownership over the ".local" top-level-domain, then you must be advertising a start-of-authority record for that domain. It is a mis-configuration not to have a SOA record. Apple permits it with the "local" SOA in iOS 8 for backward-compatibility with Active Directory.

Looks like SOA is setup and working correctly, and this only happens when connected to VPN. When I'm on the corporate wireless, everything seems to search correctly and I can connect to my internal resources.