I’ve updated my iPhone and iPad to iOS 16.2 and now I can’t connect to HA from either device when I’m on my LAN. All is good from my wife’s devices which are still running 16.1.1. Also older iOS devices which are “stuck” at 15.x are able to connect fine. HA itself is up to date.
All is good from the WAN side where the connection happens via a CloudFlare Tunnel.
I have a wildcard SSL certificate for my domain on my primary HA device but I use DuckDNS to secure a test instance of HA. Both instances of HA are now uncontactable from iOS 16.2 devices. Even Safari on those devices refuses to connect to either so I suspect Apple has done something.
Fortunately all is good via CloudFlare so I’ve deleted the SSID associated with my Internal URL so my devices always use the External URL (i.e. CloudFlare). This is not optimal but it works.
Apple have enabled some additional privacy in iOS 16.2 such that it has a preference for DNS over TLS. If iOS has access to multiple DNS hosts it will only use an unencrypted DNS host if it can’t connect to one with TLS. I have a local DNS and a local secondary but also provide an “external” host in case both of my internals are down. Neither of my internal DNS hosts support TLS … but the external does.
When I started using a Cloudflare Tunnel to facilitate assess to Home Assistant from outside I disabled the port forwarding I was using. When I upgraded to iOS 16 my devices ignored my internal DNS hosts (as they do not support TLS) and only used the external host to resolve Home Assistant’s IP address. The result was that my iOS 16.2 devices were hitting my WAN address instead of my LAN address. Since I’d removed the port forward connections failed.
The solution was to remove “client” access to the external DNS. By forcing iOS 16.2 to use my LAN DNS resolution requests resolved to the LAN address of Home Assistant and all was good.