Hi there.
We have a macOS 25 client running (at the time) ctrld 1.5.2. When the client connected to one particular iPhone hotspot, DNS resolution stopped working.
I tracked this down to this particular cellular carrier (Freenet Germany, https://www.freenet.de/) using 464XLAT. Freenet uses 192.0.0.0/24 for the IPv4 range that is passed to macOS CLAT, and this is not a standard RFC1918 address (it's RFC5736 - IANA IPv4 Special Purpose Address Registry).
With such a setup, ctrld might see requests coming in from the local host running the CLAT, using a source address of 192.0.0.2 (for example), which ctrld would consider a WAN request, according to the address selection logic at cmd/cli/dns_proxy.go:1132.
Workaround: explicitly set DNS to 127.0.0.1 for the affected hotspot connection, or change the ctrld config (either allow_wan_clients or set up a dedicated network for 192.0.0.0/24.)
Sadly, this is not the first time I see testing IP ranges abused for such purposes (I wonder why wouldn't they use the RFC6598 Shared Address Space?)
Hi there.
We have a macOS 25 client running (at the time) ctrld 1.5.2. When the client connected to one particular iPhone hotspot, DNS resolution stopped working.
I tracked this down to this particular cellular carrier (Freenet Germany, https://www.freenet.de/) using 464XLAT. Freenet uses 192.0.0.0/24 for the IPv4 range that is passed to macOS CLAT, and this is not a standard RFC1918 address (it's RFC5736 - IANA IPv4 Special Purpose Address Registry).
With such a setup, ctrld might see requests coming in from the local host running the CLAT, using a source address of 192.0.0.2 (for example), which ctrld would consider a WAN request, according to the address selection logic at
cmd/cli/dns_proxy.go:1132.Workaround: explicitly set DNS to 127.0.0.1 for the affected hotspot connection, or change the ctrld config (either
allow_wan_clientsor set up a dedicatednetworkfor 192.0.0.0/24.)Sadly, this is not the first time I see testing IP ranges abused for such purposes (I wonder why wouldn't they use the RFC6598 Shared Address Space?)