I want to use the upstream DNS to resolve the controller routing domain name directly, but it doesn't work. The log shows that the controller routing cannot be connected. What is the upstream DNS used for in the iOS code? Can it be used as the network DNS?
Upstream DNS is only supported for macOS in the Apple tunnelers. There were issues when configuring for iOS. See ziti-tunnel-apple/Network/PacketTunnelProvider.swift at 4bbb37f16658f935d953d91e12a3231dda343701 · openziti/ziti-tunnel-apple · GitHub
If you are building from code, you can re-enable, but you'll also need to tweak the "fallbackDnsEnable" flag and set the upstreamDns variable, which is not currently supported in the iOS UI.
mac os logs
[2024-06-27T02:37:48:836Z] INFO PacketTunnelProvider:PacketTunnelProvider.swift:366 startNetworkMonitor() Setting fallback DNS to 172.16.1.10
(32474)[2024-06-27T02:37:48.835Z] INFO tunnel-cbs:ziti_dns.c:228 ziti_dns_set_upstream() DNS upstream is set to 172.16.1.10:53
(32474)[2024-06-27T02:37:53.573Z] INFO ziti-sdk:ziti.c:934 ziti_re_auth_with_cb() ztx[9] starting to re-auth with ctrl[https://www.test-ctrl.com:1280] api_session_status[0] api_session_expired[TRUE]
(32474)[2024-06-27T02:37:53.574Z] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[www.test-ctrl.com] request failed: -3008(unknown node or service)
(32474)[2024-06-27T02:37:53.574Z] WARN ziti-sdk:ziti.c:1625 api_session_cb() ztx[9] failed to get api session from ctrl[https://www.test-ctrl.com:1280] api_session_state[1] CONTROLLER_UNAVAILABLE[-16] unknown node or service
(32474)[2024-06-27T02:37:58.575Z] INFO ziti-sdk:ziti.c:934 ziti_re_auth_with_cb() ztx[9] starting to re-auth with ctrl[https://www.test-ctrl.com:1280] api_session_status[0] api_session_expired[TRUE]
(32474)[2024-06-27T02:37:58.579Z] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[www.test-ctrl.com] request failed: -3008(unknown node or service)
(32474)[2024-06-27T02:37:58.579Z] WARN ziti-sdk:ziti.c:1625 api_session_cb() ztx[9] failed to get api session from ctrl[https://www.test-ctrl.com:1280] api_session_state[1] CONTROLLER_UNAVAILABLE[-16] unknown node or service
(32474)[2024-06-27T02:38:03.580Z] INFO ziti-sdk:ziti.c:934 ziti_re_auth_with_cb() ztx[9] starting to re-auth with ctrl[https://www.test-ctrl.com:1280] api_session_status[0] api_session_expired[TRUE]
(32474)[2024-06-27T02:38:03.584Z] ERROR ziti-sdk:ziti_ctrl.c:164 ctrl_resp_cb() ctrl[www.test-ctrl.com] request failed: -3008(unknown node or service)
(32474)[2024-06-27T02:38:03.584Z] WARN ziti-sdk:ziti.c:1625 api_session_cb() ztx[9] failed to get api session from ctrl[https://www.test-ctrl.com:1280] api_session_state[1] CONTROLLER_UNAVAILABLE[-16] unknown node or service
Upstream DNS is only used when processing intercepts, and is not used when connecting to the controller (or to edge routers). Your log shows a problem connecting to your controller from your Mac.
What happens if you run something like openssl s_client -connect www.test-ctrl.com:1280 from your Mac command line? Is your Mac able to connect to the controller?
The controller can be used, but you need to modify the hosts or add the DNS server address in the network settings to access it. I thought this upstream DNS could be used as the specified DNS resolution address, but I misunderstood. Currently, it seems that there is no difference whether this upstream DNS is set or not. What kind of function is it developed for?
When intercepting DNS names (eg., when your intercept.v1 config specified hostnames to intercept), the tunneler may receive DNS requests that are not meant to be intercepted. In this case, the upstream DNS server is used to resolve the request. When you have set "Intercept DNS by Matching Domains" the fallback (or "upstream") DNS server is rarely used. But when "Intercept DNS by Matching Domains" is not set, the tunneler DNS is set as primary DNS for macOS, and is used to resolve all DNS requests (and the the fallback DNS server is called quite often). The default setting is "Intercept DNS by Matching Domains".
By default, the fallback DNS server address is taken from your system settings, but you can override it via the "Override Fallback DNS" field in Advanced Settings
Do you mean that if I turn off Intercept DNS by Matching Domains, 172.16.1.10 will be used as the primary DNS of the Mac, but now the controller still prompts that it cannot connect。
In other words, the project now needs to modify the hosts or network settings to add a DNS server to access the controller
It is intercepted in the ziti network to start dns resolution, but I have not yet entered the ziti network. Is my understanding correct?
No. Those setting don't come into play when accessing the controller. They are only used when processing intercepts, and the controller hostname should never be intercepted.
OK, thank you very much for your reply