DNS Resolution fails in 15.4

Question

prabhu006 OP

Created Apr ’25

Replies 5

Boosts 0

Participants 2

Hi,

DNS resolution using libresolv (res_nquery) fails in 15.4 when connected to VPN. The same is working fine for 15.3 and lower and this happens for all the domains. The method returns -1 and res->res_h_errno is set to 2.

In wireshark we can see that the DNS request is sent and server also returns the response successfully.

The same works fine if we use TCP instead of UDP by setting the following option

res->options |= RES_USEVC;

Answered by DTS Engineer in 836201022

There are a couple of ways to slice this. First, if you have widely deployed product that’s failing after a software update, it’s worthwhile filing a compatibility bug about that. Apple strives to avoid breaking widely deployed products.

If you do file a bug, please post the bug number, just for the record.

Having said that, res_nquery is very much a compatibility API on our platforms and I strongly recommend against using it in production code. As to what you should do, that depends. There’s basic advice in TN3151 Choosing the right networking API, but if you want to go into more depth I’m happy to do that here. You just have to answer one question: What are you using res_nquery for?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Apr ’25

Recommended

There are a couple of ways to slice this. First, if you have widely deployed product that’s failing after a software update, it’s worthwhile filing a compatibility bug about that. Apple strives to avoid breaking widely deployed products.

If you do file a bug, please post the bug number, just for the record.

Having said that, res_nquery is very much a compatibility API on our platforms and I strongly recommend against using it in production code. As to what you should do, that depends. There’s basic advice in TN3151 Choosing the right networking API, but if you want to go into more depth I’m happy to do that here. You just have to answer one question: What are you using res_nquery for?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

prabhu006 OP

Apr ’25

Hi,

Thanks for your quick response. I have filed a bug report (FB17320486). I am using res_nquery to do NAPTR lookup for SIP server domain. The current code uses c++ and directly uses methods in libresolv.

0

Answer 3

DTS Engineer OP

Apple

Apr ’25

Thanks for filing FB17320486.

IMPORTANT Please attach a sysdiagnose log to your bug, one taken shortly after reproducing the problems. See our Bug Reporting > Profiles and Logs page for info on how to do that.

I created a new Xcode project from the macOS > Command Line Tool template and then replaced its main.cpp code with the code from your bug. It works on my machine, regardless of when I have my VPN running or not. Here’s what I saw:

Server Count: 1
Got 6 answers:
 - A Record: 23.215.0.138
 - A Record: 23.192.228.84
 - A Record: 96.7.128.198
 - A Record: 23.215.0.136
 - A Record: 96.7.128.175
 - A Record: 23.192.228.80

This suggests that there’s something specific about your setup that’s triggering the problem. The sysdiagnose log might help the network engineering team isolate that. However, I recommend that you run some tests at your end as well.

First up, if you set up a clean machine, one with a fresh install of macOS 15.4 and only the software necessary to reproduce the problem (Xcode and your VPN, basically), do you see the issue there?

Second, regarding this:

I am using res_nquery to do NAPTR lookup for SIP server domain.

If you try the same query using the direct interface to the system resolver, DNSServiceQueryRecord, does it have the same problem?

DNSServiceQueryRecord isn’t super easy to call, so I’ve included a tiny example below.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

import Foundation
import dnssd

func main() {
    let fullname = "example.com."
    let rrtype = kDNSServiceType_A
    print("will resolve, name: '\(fullname)', type: \(rrtype)")
    var sdRefQ: DNSServiceRef? = nil
    let err = DNSServiceQueryRecord(
        &sdRefQ,
        0,
        UInt32(kDNSServiceInterfaceIndexAny),
        fullname,
        UInt16(rrtype),
        UInt16(kDNSServiceClass_IN),
        { _, flags, _, err, _, _, _, rdlen, rdata, ttl, _ in
            guard err == kDNSServiceErr_NoError else {
                print("did not resolve, error: \(err)")
                exit(1)
            }
            let data = NSData(bytes: rdata, length: Int(rdlen))
            print("did resolve, ttl: \(ttl), rdata: \(data.debugDescription)")
            if flags & kDNSServiceFlagsMoreComing == 0 {
                exit(0)
            }
        },
        nil
    )
    guard err == kDNSServiceErr_NoError else { fatalError() }
    let sdRef = sdRefQ
    DNSServiceSetDispatchQueue(sdRef, .main)
    withExtendedLifetime(sdRef) {
        dispatchMain()
    }
}

main()

0

Answer 4

prabhu006 OP

Apr ’25

Hi,

The issue is not specific to a particular system/network/VPN client. It is reproducible on multiple network and VPN.
Updated sysdiagnose logs collected after reproducing the issue at 10:08 AM 24th April UTC. Attached in https://feedbackassistant.apple.com/feedback/17320486
The query using DNSServiceQueryRecord works fine with and without VPN in the same network.

Thanks, Prabhu

0

Answer 5

DTS Engineer OP

Apple

Apr ’25

The issue is not specific to a particular system/network/VPN client.

Yeah, that’s weird because it definitely doesn’t reproduce for me with the VPN we use here at Apple.

Thanks for adding a sysdiagnose log to FB17320486.

The query using DNSServiceQueryRecord works fine

Cool. That at least gives you a potential workaround.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0