KALIWERKSTATT / INCIDENT NOTE

Netskope, the new macOS, and a DNS failure that can take clients offline.

A fresh macOS rollout plus the Netskope client can turn into a very annoying combo when DNS resolution breaks. The visible symptom is simple: users suddenly cannot reach the internet. The root cause is not always simple. 

[laetitiaschmidt.local:2026-04-20 01:40:42.904 +02:00] t7b1b [info] socket_tools.cpp:370:getAddrForDestinationProto():0x0 Unable to resolve hostname gateway.npa.goskope.com port 443, errno 61 error 8 nodename nor servname provided, or not known
Observed impact Clients lose internet connectivity
Primary failure DNS lookup for gateway.npa.goskope.com fails
Likely scope Client-side DNS path or network path instability

What is happening?

The Netskope client needs to resolve service endpoints like gateway.npa.goskope.com over DNS before it can establish secure connectivity. If that hostname lookup fails, the client may be unable to bring up the required path, which can leave the machine effectively cut off from normal internet access.

In this case, the error strongly points to a name resolution problem, not immediately to a pure authentication or policy issue. That makes DNS the first thing to investigate.

Where the fault could be

  • Directly on the MacBook. The new macOS version may have changed resolver behavior, DNS priority, network extension handling, or local cache state in a way that collides with the Netskope client.
  • Packet loss or instability between client and DNS server. If DNS queries or responses are getting dropped, resolution becomes intermittent or fails completely.
  • Resolver configuration drift. A broken or unreachable DNS server, split DNS issue, VPN interaction, or stale network profile can all trigger this pattern.
Temporary workaround: manually switch the client to a different DNS server. If resolution starts working again immediately, that is a very strong indicator that the current DNS path is the real problem.

What to check next

  • Run name resolution tests for gateway.npa.goskope.com from the affected MacBook using the currently assigned DNS server.
  • Repeat the same test with a known-good public or corporate DNS server and compare results.
  • Inspect packet loss, latency, and retransmits between the MacBook and the DNS resolver.
  • Review macOS network extension behavior after the OS upgrade.
  • Flush DNS cache and re-check resolver order on the endpoint.