Skip navigation.
Home
Utternerd.org
Home ยป iPhone

iPhone VPN DNS resolution issue

During the addition of iPhones to our corporate environment, I was unfortunate enough to be pulled into aiding in troubleshooting issues we were having. Namely, the issue that we were unable to resolve anything within our "domain.local" zone once connected to the ASA via ipsec... Using the .local TLD is fairly common in the Windows Active Directory world.

After some head scratching, and a bunch of tcpdump sessions on respective interfaces (direct evidence was instant requests to multicast space), I finally stumbled upon some facts: Apple has an "Exception List" for every interface. Within this list, by default are 2 entries, "169.254/16" and "*.local". Bingo, THAT's why all *.local requests timed out and never hit a single dns server...

Not much of a solution, but using another top level domain with replicated records from the prior .local zone fixes this issue, and now everything within our VPN is reachable via hostname. *sigh*

So you're telling me that's all it is?

Submitted by Ali (not verified) on Wed, 08/27/2008 - 13:58.

So Apple decides to have *.local as an Exception List for what reason? So that iphones don't work with Active Directory DNS Conventions? How do you replicate records on the same DNS server with different TLD names? I haven't been able to figure that one out on our server.

»

*.local is used by the

Submitted by mrz (not verified) on Fri, 08/29/2008 - 22:58.

*.local is used by the ZeroConf standard (ie bonjour), which apple starting using around the same time AD was being developed.

.local is not part of the AD dns spec, however some genius decided to use it for the best practices manual and it has stuck. you could use .lan, .private, whatever, doesn't really matter, and is what I use for AD installs.

under 10.4/10.5 you can add your addomain.local to your dns search path, and it will know to use dns specifically for *.addomain.local, but still let bonjour service discovery work. MS still hasn't updated their technotes to indicate this, leaving windows admins in the dark (they do have a notice saying that using .local might not work with some macs, ie <10.4)

Why apple has specifically added an exception to their dns list, i do not know.

»

More info on this fix

Submitted by BBid (not verified) on Wed, 09/24/2008 - 12:33.

Hello
I have the Iphone 2.1 and I am in the same boat as your desciption of the problem. I am not the AD person so I need domr help on the laymans terms to make this fix happen. Is this *.local issue on the IPhone or is it something that needs to be addressed on the AD server. Is there a way to see what the DNS server the IPhone gets when it connects to VPN or even when connected to the G3 network. I guess it would be like the IPConfig /all command on windows so you can verify all the settings.

Any helps to get this resolved would be great.
Thanks
B

»

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
Warning: THIS IS CASE SENSITIVE! This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Image CAPTCHA
Copy the characters (respecting upper/lower case) from the image.