Unable to reach server on WiFi, but always able on cellular

No Internet connection suggests that things are failing with NSURLErrorNotConnectedToInternet (-1009), which typically means that CFNetwork was unable to even start the connection. The most common cause of this is a problem with the device’s setup but that’s not the case here because other apps are working.

If one of these users connects to a “what’s my IP address site”, do they see the Wi-Fi or WWAN IP address?

Are the folks reporting this problem all in China?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Only folks located in Germany are reporting that.

I checked the logs on load balancers and these requests don't even arrive there (just to rule out rate limiting and other security mechanisms on the backend).

I just released a new beta version that gathers diagnostic information on device when these HTTP requests fail. After 15 minutes I received a report with the following error description: A server with the specified hostname could not be found.

I have no idea what I am doing wrong. A quick search points me in the direction of something behind misconfigured in App Sandbox and its Network Connections. Right now, when I go to Target -> Signing & Capabilities, in the App Sandbox section, the Network part looks as follows:

[ ] Incoming Connections (Server)

[✓] Outgoing Connections (Client)

In the .entitlements file (not sure which ones are relevant):

• associated domains contain applinks & webcredentials for my website only (not API), but I don't think this is relevant
• App Sandbox=YES
• com.apple.security.network.client=1

If one of these users connects to a “what’s my IP address site”, do they see the Wi-Fi or WWAN IP address?

I can ask, but since they can access everything, but my app, I'd suspect it is related to my app and not their network. Please let me know if I should ask, because I think the additional info I just provided might have shed some more light on the issue.

A quick search points me in the direction of something behind misconfigured in App Sandbox and its Network Connections.

No, you’re off in the weeds there:

• App Sandbox settings are only relevant on macOS. iOS-based platforms have a sandbox that applies to all third-party apps and it always allows access to the network [1].

• Even on the Mac the App Sandbox treats all network interfaces equally; there’s no way it’d block one interface while allowing another.

Only folks located in Germany are reporting that.

OK.

After 15 minutes I received a report with the following error description: A server with the specified hostname could not be found.

My best guess is that all of these folks are using the same ISP and that ISP is blocking access to your site (probably accidentally).

Try shipping one of your beta testers an app with a ‘secret’ UI that fetches a request from some other site, like example.com. Does that work?

This is a useful diagnostic because, if it works, you know that the problem is site specific. And if it fails, you know that your site isn’t the issue but rather there’s something specific to your app.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, technically the sandbox can vary by product type. For example, an Network Extension filter data provider runs in a much more restrictive sandbox than a normal app.

Thanks for quick answer @eskimo.

I just added a way to send simple HTTP GET requests to:

• myapp.com
• api.myapp.com
• example.com
• apple.com
• google.com

And already from my iPhone connected to WiFi I was able to observe the following results:

• myapp.com ✅
• api.myapp.com ✅
• example.com ❌
• apple.com ✅
• google.com ✅

Same error: A server with the specified hostname could not be found. for https://example.com.

Right now I cannot even open https://example.com on my MacBook Pro connected to WiFi (tried Safari and Google Chrome). My Internet provider is Vodafone and I am based in Berlin.

On cellular everything works for all of us.

All of my beta testers are based in Berlin. Two of them, for whom the issue manifested itself, use T-Mobile as the Internet provider.

I will now distribute this version to others to see which domains they can reach.

It appears to me that something is wrong with DNS resolution while on WiFi. I just tried manual DNS Configuration and entered 8.8.8.8, launched browser in incognito mode and voila—I was able to reach https://example.com. Switched back to Automatic and it is unreachable again.

I could suggest users to use manual DNS configuration, but I would really like to avoid this option. I don't want to welcome users installing my app with a suggestion that they should modify their DNS configuration.

I don't think it is the source code, because I'd say it is pretty standard and I haven't touched DNS or any low level networking stuff. Basically only sending HTTP Requests. Unless there is some setting in Xcode, entitlement, variable in Info.plist, capability, key or something related to signing certificate / profile, it has to be the network and its DNS resolution.

IP addresses of the domains apple.com and google.com can be resolved, no matter what DNS server is used. But for my domain, it doesn't seem to be the case. Sometimes it is resolved correctly and sometimes not. Is there a way I can have a DNS entry added to these DNS servers? Why isn't it already there?

While waiting for an answer for you, I will start exploring the option of contacting AWS and/or GCD support to try to resolve this.

Right now I cannot even open https://example.com on my MacBook Pro connected to WiFi (tried Safari and Google Chrome).

Clearly there’s something borked with your ISP’s DNS setup. Fortunately you can reproduce it yourself, which means you can use a packet trace to see what’s going on.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for the link @eskimo.

I just skimmed through that page, ran a tcpdump while sending some requests to example.com and then tried to analyze it with the free tcptrace, but to be honest it is a bit out of area of my expertise. I don't understand the result and I don't really want to invest time into it, because I need to focus on the product.

Actually I don't really care what is wrong with my DNS setup—I can always manually switch to 8.8.8.8 or 1.1.1.1, but I don't want this to happen to the users of my app. There is no point in releasing the app if the first thing the users see is "No internet connection". It might actually involve multiple ISPs (I know for sure that two of the beta testers, who reported this problem, use T-Mobile [aka Telekom] in Berlin), Vodafone users seem to have no problems. Will keep collecting more info from the others.

Also, I opened an AWS Support case since I host my domain on their Route 53. Let's see if they can assist me with this.

then tried to analyze it with the free tcptrace

This is probably not a transport level issue (that is, not a problem with any TCP connection) rather an issue with DNS. Your client should be sending out DNS query requests (to UDP port 53 on the DNS server) and getting back replies (from that same port and IP address). You should be able to match these requests and replies to see if you get different results between your known good and know bad setup.

Hmmm, actually you’re working on the Mac so this is even easier. Consider this:

% dig @192.168.1.1 -t A example.com
…
;; ANSWER SECTION:
example.com.		80387	IN	A	93.184.216.34
…
% dig @192.168.1.1 -t AAAA example.com
…
;; ANSWER SECTION:
example.com.		78502	IN	AAAA	2606:2800:220:1:248:1893:25c8:1946
…
% dig @8.8.8.8 -t A example.com 
…
;; ANSWER SECTION:
example.com.		19862	IN	A	93.184.216.34
…
% dig @8.8.8.8 -t AAAA example.com
…
;; ANSWER SECTION:
example.com.		20628	IN	AAAA	2606:2800:220:1:248:1893:25c8:1946
…
% 

As you can see, my ISP’s DNS (192.168.1.1 is the address of my ISP-provided DSL gateway which forwards the query on to my ISP’s DNS servers) and 8.8.8.8 return the same answers for both IPv4 (-t A) and IPv6 (-t AAAA) queries.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks again @eskimo.

Indeed, that was pretty easy to do. My ISP-provided DNS Server's address is 192.168.0.1 so I queried that one instead of 192.168.1.1 and I got no answer:

➜  ~ dig @192.168.0.1 -t A example.com

; <<>> DiG 9.10.6 <<>> @192.168.0.1 -t A example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 22857
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;example.com.			IN	A

;; Query time: 10 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Fri Sep 17 12:04:50 CEST 2021
;; MSG SIZE  rcvd: 29

When I used 8.8.8.8 I got the same IP address back that you got.

I can successfully obtain the IP address of the domain, on which my backend is hosted. Only the example.com doesn't work for me.

Ok, so I know how to query a DNS server for a given hostname, but where do I go from there? I could ask one of the beta testers to run similar queries when they encounter the problem, but how will it help? The only piece of information I will get is that they get no answer from their local DNS server. But the local DNS servers must be provisioned with DNS entries somehow. I'd say the problem is that for some ISPs, they don't provision their DNS servers with a hostname to IP address mapping for my domain. What can I do about that?

I used AWS to register the domain about 2 years ago and about 3 months ago I created an A record to route traffic from that domain to an IP address of a load balancer in Google Cloud. TTL is 300 seconds. It is a pretty standard setup so I'd expect it to work without any extra effort. The weird thing is that it works on cellular and on Vodafone WiFi networks so the DNS entry must have been added to some ISP's DNS servers, but apparently not to all of them.

Will post an update once I hear back from AWS support.

I received an answer from AWS support and the issue has been resolved. It turned out that the problem was related to the nameservers.

My domain is hosted on AWS, but my backend is in Google Cloud. While configuring my backend I must have changed the default nameservers on AWS to the ones provided by Google:

ns-cloud-c1.googledomains.com.
ns-cloud-c2.googledomains.com.
ns-cloud-c3.googledomains.com.
ns-cloud-c4.googledomains.com.

The AWS support advised me to switch back to the default ones provided by AWS, because they were specified by whois lookup:

ns-1553.awsdns-02.co.uk
ns-857.awsdns-43.net
ns-91.awsdns-11.com
ns-1160.awsdns-17.org

One of the beta testers, who previously experienced connection problems, reported that he was able to use the app on WiFi without any problems.

As a side note, I have also been shown a handy tool to inspect how different locations resolve an IP address of a domain: https://www.whatsmydns.net/#NS/apple.com

FYI @eskimo and thanks again for your input!