macOS NAT64 hotspot returns DNS results from different IP address

Originator:jzablot
Number:rdar://40529015 Date Originated:May 24, 2018
Status: Resolved:
Product:macOS Product Version:macOS 10.13.4
Classification: Reproducible:always
 
Steps to Reproduce:
1. Connect an iPhone to the DNS64/NAT64 wifi hotspot a mac has enabled. 
2. View traffic on the iPhone with rvictl / wireshark
3. Run any app that uses DNS; but in particular apps that use their own DNS resolver

Expected Results:
See in wireshark that DNS responses from the mac are returned from the same IP address to which they were sent to. We do not want to accept DNS results from other IP addresses, to avoid DNS spoofing. See RFC 5452 section 3:

"  DNS data is to be accepted by a resolver if and only if:  "

...

"   3.  The response comes from the same network address to which the
       question was sent. "

Actual Results:
See in wireshark that DNS responses from the mac are returned from a different IP address than which they were sent to. Refer to the attached packet capture.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!