05-23-2019 02:32 PM
06-14-2019 02:47 PM
Update: We had some old LG androids that were still exhibiting the issue after making that change. I had to create a new SSID that used the main subnet (native vlan) to get them to connect. They would not connect to our dedicated vlan for Guest. I'm still unsure of the reason behind this but that is what I had to do to get some of the older androids to connect. Any ideas feel free. I've double check configs and everything looks good.
06-07-2019 12:48 PM
06-07-2019 10:36 AM
I found the culprit! Google implemented DNS over TLS in late 2018 on Android. This is when our issues started. It's not the same thing as DNS Sec which just authenticates the DNS server to make sure it is who it says it is. Once that part of DNS Sec is done DNS traffic flows unencrypted over port 53. Encrypted DNS does what DNS Sec does plus encrypts the payload. It also uses TCP port 853 which our firewall was blocking because we only allow approved services through. Apple iOS and MacOS only support DNS Sec. Their support for encrypted DNS is coming later in the year which explains why they haven't been affected yet. Allow port 853 through the firewall has fixed 90+% of the effected clients. Others I've had to manually disable the Private DNS feature in the Settings>Connections portion of Android OS. Private DNS(encrpyted) is supposed to fail back to plain DNS if negotiation fails but some are not or are timing out. That is what made this issue so hard to troubleshoot. Android needs to improve the reliability of this feature. Also latency can aggravate the issue as well as your ISP's DNS server not supporting or rejecting the connection outright. I mean afterall your DNS queries are valuable info that they make a lot of money off of. Hope this helps and if you find any additional info on this please let me know!
06-05-2019 06:49 AM
@Donnie Johnson
Did you find some sort of solution for this ? Looks like we have the same issues, also with Android devices (not with Apple devices etc.)