Community discussions

MikroTik App
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Tue Jul 08, 2014 3:58 pm

iPhone not resolving static dns entries

Tue Jul 20, 2021 5:02 pm

My RB acts as DNS server for my LAN
It has few static entries like

/ip dns static
add address=192.168.1.100 name=myhost.mydomain

Name is resolvable by local machines but NOT by wifi-connected iPhones (that say DNS server is RB address)

Why is this ? Another Apple complication ? Any workaround ?
 
DarkNate
Forum Veteran
Forum Veteran
Posts: 999
Joined: Fri Jun 26, 2020 4:37 pm

Re: iPhone not resolving static dns entries

Wed Jul 21, 2021 11:34 am

Weird. I've used a bunch of Apple devices and they work fine with the stub DNS resolver on MikroTik.

dump /export hide sensitive
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: iPhone not resolving static dns entries

Wed Jul 21, 2021 11:45 am

It is becoming more and more common to have "DNS rebind protection" that is filtering DNS replies to queries outside your LAN domain but returning a LAN or loopback address.
I don't know if Apple implements that in their devices. There are routers that implement it in their DNS resolvers. Of course in that case not for static entries, but e.g. when your LAN range is 192.168.88.0/24 and you would query a name like "server.example.com" via the resolver in the router, and the external DNS replies with "IN A 192.168.88.10" that reply would be dropped. For good reasons, as such setups can be used to attack your internal network.
However, RouterOS does not have this feature.

But, it could be that Apple has it in their software as well. Maybe it works when your DNS server sets the proper local domain (in this case mydomain) and so the devices, when doing their DHCP request, know that the local domain is mydomain and then expect names like myhost.mydomain to be in the local network.

Another issue, which affects Google devices, is that sometimes even when you have configured a local DNS server they still access other DNS servers (in that case 8.8.8.8 and 8.8.4.4) for some queries. You can subvert that by setting a dst-nat for DNS queries to other addresses than your router, and redirecting them to your router.

But that still isn't sufficient because now devices are switching to DoT and, even worse, DoH. Once that is more common, it will be no longer possible to use local static DNS entries.
It is advised to register "mydomain" (I presume this is just a placeholder) in Internet DNS and put the values on an Internet-hosted DNS server instead of in your router. However, that still does not solve the "DNS rebind protection" issue.
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: iPhone not resolving static dns entries

Wed Jul 21, 2021 12:33 pm

Make a nat rule to capture quires to port 53 and send it to your router

Make a nat rule to capture packets sent to any of the well known DNS and send it back to your router via an address list.
 
andriys
Forum Guru
Forum Guru
Posts: 1526
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: iPhone not resolving static dns entries

Sat Jul 24, 2021 12:56 pm

Do you happen to use the .local domain for your static entries? I saw someone mentioned in another thread that Apple only uses mDNS (but not "regular" DNS) to resolve names ending in .local.
 
Guscht
Member Candidate
Member Candidate
Posts: 236
Joined: Thu Jul 01, 2010 5:32 pm

Re: iPhone not resolving static dns entries

Sat Jul 24, 2021 1:23 pm

Is there a special DNS configured for ad-protection or something?
I could imagine, Apple does here their own thing...
 
User avatar
mozerd
Forum Veteran
Forum Veteran
Posts: 871
Joined: Thu Oct 05, 2017 3:39 pm
Location: Canada
Contact:

Re: iPhone not resolving static dns entries

Sat Jul 24, 2021 1:25 pm

Why is this ? Another Apple complication ? Any workaround ?
If you are using the current version of IOS for your iPhone there is a Privacy setting that you must turn off so that your static address gets accepted.
The Apple setting is called Private Address .... turn that off ... then on your iPhone turn off wireless and then turn it back on and your static assigned address will work.
Use a private network address on iPhone
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: iPhone not resolving static dns entries

Sat Jul 24, 2021 1:52 pm

If you are using the current version of IOS for your iPhone there is a Privacy setting that you must turn off so that your static address gets accepted.
The Apple setting is called Private Address .... turn that off ... then on your iPhone turn off wireless and then turn it back on and your static assigned address will work.
When I understand that correctly (it has the wellknown void of any technical information so that technicians cannot check what the manufacturer
recommends to the end-users who must not be scared by technical details) this is about IPv6 privacy extensions. Has nothing to do with the question
the original poster asked. But maybe with enough persistence information can be found about "rebind protection" and "enforced DoH/DoT" I discussed
before.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: iPhone not resolving static dns entries

Sat Jul 24, 2021 5:52 pm

I just love a good mystery!
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: iPhone not resolving static dns entries

Sat Jul 24, 2021 8:35 pm

trust mozerd to solve this!
he has to read labels first..
 
ik3umt
Member Candidate
Member Candidate
Topic Author
Posts: 295
Joined: Tue Jul 08, 2014 3:58 pm

Re: iPhone not resolving static dns entries  [SOLVED]

Tue Jul 27, 2021 8:11 am

Do you happen to use the .local domain for your static entries? I saw someone mentioned in another thread that Apple only uses mDNS (but not "regular" DNS) to resolve names ending in .local.
Good catch !
My fault in not being specific (thinking .local was a private domain like any "fantasy" one , it is used for different purposes/environment instead)

Who is online

Users browsing this forum: ItchyAnkle, Limer and 81 guests