lapcat 10 months ago

I can't reproduce this. Some people say it has to do with ESET: https://www.reddit.com/r/MacOS/comments/1fievr5/updating_mad...

Reply View 3 replies
TechRemarker 10 months ago

Before Sequoia when using OpenDNS for VPN, could be on VPN and iMessage and other apps still work, but since Sequoia, when on VPN iMessage (text messages) etc no longer work. Once I disconnect to VPN all goes through. Is this related at all? Do have macOS firewall enabled. But not block all incoming connections.

Reply View 1 reply
  • unluckier 10 months ago

    Disabling the firewall for testing is simple enough. If things work after turning off the firewall, then this is your problem.

    Reply View 0 replies
garyrob 10 months ago

After upgrading to Sequoia, I could not browse with Safari or Mozilla. What fixed it for me was to go to the DNS settings for my Wi-Fi connection, and add Google's DNS servers (8.8.8.8. and 8.8.4.4). They replaced the autofilled DNS servers that were there.

Reply View 6 replies
  • greyface- 10 months ago

    Were the autofilled DNS servers in RFC1918 private space (10.0.0.0/8, 192.168.0.0/16, etc.)? I had issues after the upgrade with Google Chrome being unable to access hosts in these ranges, and fixed it by going to System Settings -> Privacy & Security -> Local Network and toggling Google Chrome off and on again.

    Reply View 2 replies
    • garyrob 10 months ago

      No, they weren't local. I have no idea where they came from. I couldn't even delete them, but when I added the Google servers, they autofilled ones were automatically deleted.

      Reply View 1 reply
      • kccqzy 10 months ago

        They came from DHCP or RDNSS in RA.

        Reply View 0 replies
  • JumpCrisscross 10 months ago

    > could not browse with Safari or Mozilla

    FYI, it looks like Firefox fixed this.

    Reply View 2 replies
    • zakki 10 months ago

      So not macOS error?

      Reply View 1 reply
      • JumpCrisscross 10 months ago

        > not macOS error?

        It worked before I upgraded to Sequoia. But I don't know enough to point fingers. Just mentioning that turning off the firewall long enough for Firefox to update fixes the problem.

        Reply View 0 replies
OptionOfT 10 months ago

Honestly, I'm fine with that. Applications themselves should not be resolving DNS outside of what I set in settings.

The reasons applications do this is to prevent users from blocking telemetry etc. It's my computer, I should have final say on what goes out.

Reply View 27 replies
  • amluto 10 months ago

    There is no such thing as a remotely cross-platform DNS resolution API that has the system do the lookup and does not utterly suck for asynchronous use.

    Reply View 3 replies
    • wtallis 10 months ago

      I suspect "cross-platform" is doing a lot of heavy lifting for your claim. Browser engines and application frameworks built on top of them have no trouble using platform-specific APIs under the hood.

      Reply View 1 reply
      • spookie 10 months ago

        Yeah, but frameworks are yet another level of abstraction and dependency that just kills momentum.

        Reply View 0 replies
    • [removed] 10 months ago
      [deleted]
      Reply View 0 replies
  • nullindividual 10 months ago

    All major browsers now implement the ability to use a browser-defined resolver.

    Reply View 1 reply
    • lxgr 10 months ago

      Yes, and some of them even make it the default under some circumstances.

      I agree with GP that this is generally not a great trend.

      Reply View 0 replies
  • Dalewyn 10 months ago

    Seeing this getting downvoted is fucking wild.

    I remember 20+ years ago when one of the most commonly seen attacks was malware configuring a proxy server in Internet Explorer which by design overrode the operating system's configuration.

    What a lot of software does today by ignoring the operating system in lieu of their own shit is just like the above. If your program doesn't (or can't) respect the operating system, your shit is malware and you should reconsider who you write code for.

    Reply View 11 replies
    • nomel 10 months ago

      > Seeing this getting downvoted is fucking wild.

      If you consider the source of income of what's most likely a considerable portion of the HN community, I think this makes more sense. Apple is one of the only companies interested in preventing tracking, and it hurts, in the billions sort of way [1][2].

      [1] https://www.forbes.com/sites/kateoflahertyuk/2022/10/08/appl...

      [2] https://www.forbes.com/sites/timbajarin/2022/07/26/apples-do...

      Reply View 0 replies
    • yndoendo 10 months ago

      Those ideas are not isomorphic.

      One malicious overrides universal network communication while the other just conducts DNS queries limited to a single application domain.

      Reply View 9 replies
      • altruios 10 months ago

        You are describing something that violates system setting for it's own benefit instead of the end user.

        You are describing malware. Benign malware is still malicious, even if it does no active harm. Intent (of how the software operates) matters.

        Reply View 0 replies
      • Dalewyn 10 months ago

        >just conducts DNS queries

        Queries that will ignore configurations you set.

        If I see something ignoring/evading my configured DNS server, that shit is fucking malware.

        Reply View 7 replies
  • nox101 10 months ago

    I have one browser setup to do DNS differently than another. I don't want to have to set it at a system level and then need multiple systems just to run 2 browsers with different DNS lookup

    Reply View 0 replies
  • Spivak 10 months ago

    Yep, I wish they would go the full way and block socket access entirely so your own outgoing traffic is always introspectable even with cert pinning. It would make it blatantly obvious when apps try shady shit.

    Reply View 7 replies
    • nomel 10 months ago

      I had a great Windows firewall like this about 20 years ago. It would pop up a dialog for every network request from an app. You could block or allow based on port or destination, or "block all". It was amazing, because as you say, it made it very obvious when an app was trying shady shit.

      I would love to have that back, but I was never able to find a firewall so hostile to the user experience of the general population.

      Reply View 3 replies
      • kergonath 10 months ago

        It sounds similar in spirit to Little Snitch, mentioned in the article (on macOS, but which inspired OpenSnitch, which runs on Linux). It is awesome indeed, if a bit overwhelming at first. Most regular users would just uninstall it to avoid the constant barrage of requests initially, and then every time a new piece of software tries to connect to anything.

        Reply View 0 replies
      • tpush 10 months ago

        Zonealarm?

        Reply View 1 reply
        • nomel 10 months ago

          Yes! That was it. I'll try it again.

          Reply View 0 replies
    • newaccount74 10 months ago

      Shady shit? Not every network request is a call to an HTTP REST API.

      Blocking socket APIs would break every app that supports other protocols. Goodbye file transfer apps, VPN apps, file sync apps, database tools, SSH clients, remote desktop clients, audio and video conferencing apps, etc.

      Reply View 2 replies
      • 9dev 10 months ago

        As long as I can add exceptions for those apps to my firewall, I’m kind of… okay with that?

        Reply View 0 replies
      • Spivak 10 months ago

        Shady shit meaning really obvious when you're making http calls with encrypted opaque blobs.

        Reply View 0 replies