CloudConnexa: macOS Applications Using the Local Gateway Instead of CloudConnexa

Symptoms

You're connected to CloudConnexa, but a resource configured as an Application under Networks → Applications is unreachable from your Mac:

• Browsing the domain, ping, or ssh to the hostname times out, hits the wrong server, or is blocked.

• A Windows device or a Mac running a different macOS version can reach it.

• The same destination is reachable when configured as an IP Service rather than an Application (reachable via IP, if applicable).

Why it happens

When an Application is configured with a domain, CloudConnexa acts as a proxy DNS server and returns a lookup response with an intermediary IP address from the WPC Domain Routing range (default: 100.80.0.0/12). Your Mac then routes that intermediary IP through the tunnel. The DNS resolver itself sits in the WPC subnet (default 100.96.0.0/11).

Another app or service on your Mac can intercept DNS requests before the CloudConnexa resolver sees the query and return the destination's public IP address. The tunnel is still up; your apps are still dialing the wrong address.

Services commonly seen causing this:

• MDM DNS profiles: Mosyle, Jamf Pro, Intune.

• Endpoint protection and EDR: SentinelOne, CrowdStrike Falcon, JumpCloud Agent.

• Secondary DNS or VPN clients: Cloudflare WARP, Cisco Umbrella Roaming Client, NextDNS, ControlD, Tailscale MagicDNS, or another active VPN.

• Apple Private Relay (iCloud+).

• Firewalls with DNS filtering: Little Snitch, LuLu.

Confirm the cause in two commands

Run both commands while connected to CloudConnexa and while reproducing the problem:

nslookup <your-application-domain>

dscacheutil -q host -a name <your-application-domain>

How to read the output:

• If nslookup returns an address in 100.80.0.0/12 (the intermediary and working IP), but dscacheutil returns the destination's public address (the non-working IP), another macOS service is intercepting DNS for your applications.

• If both return a public address, the issue is likely on the CloudConnexa side, Application configuration, Access Group, or user/group sync.

nslookup and dig query the resolver directly. dscacheutil uses the same macOS API (getaddrinfo) that your browser, SSH Client, and other apps use, so it reflects what those apps actually see.

Important: The Domain Routing subnet defaults to 100.80.0.0/12, but it's configurable; confirm the range in your environment under CloudConnexa Administration Portal → Settings → WPC.