macOS NAT64 hotspot returns DNS results from different IP address
Originator: | jzablot | ||
Number: | rdar://40529015 | Date Originated: | May 24, 2018 |
Status: | Resolved: | ||
Product: | macOS | Product Version: | macOS 10.13.4 |
Classification: | Reproducible: | always |
Steps to Reproduce: 1. Connect an iPhone to the DNS64/NAT64 wifi hotspot a mac has enabled. 2. View traffic on the iPhone with rvictl / wireshark 3. Run any app that uses DNS; but in particular apps that use their own DNS resolver Expected Results: See in wireshark that DNS responses from the mac are returned from the same IP address to which they were sent to. We do not want to accept DNS results from other IP addresses, to avoid DNS spoofing. See RFC 5452 section 3: " DNS data is to be accepted by a resolver if and only if: " ... " 3. The response comes from the same network address to which the question was sent. " Actual Results: See in wireshark that DNS responses from the mac are returned from a different IP address than which they were sent to. Refer to the attached packet capture.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!