Lots and lots of "REFUSED unexpected RCODE"

Follow

jhg6308

November 10, 2020 22:49

I have a caching forwarder for a small home network, running bind-9.11.13-6.el8_2.1.x86_64 on CentOS 8.

I get about 1200 or so of these messages a day in my logs, with no particular time of day when they do or do not occur:

...
Nov  9 23:48:49 janus named[1050]: REFUSED unexpected RCODE resolving 'mesu.apple.com/TYPE65/IN': 208.67.222.222#53
Nov  9 23:48:49 janus named[1050]: REFUSED unexpected RCODE resolving 'gateway.fe.apple-dns.net/TYPE65/IN': 208.67.222.222#53
Nov  9 23:48:49 janus named[1050]: REFUSED unexpected RCODE resolving 'mesu.g.aaplimg.com/TYPE65/IN': 208.67.222.222#53
Nov  9 23:48:51 janus named[1050]: REFUSED unexpected RCODE resolving 'guzzoni-apple-com.v.aaplimg.com/TYPE65/IN': 208.67.222.222#53
Nov  9 23:49:06 janus named[1050]: REFUSED unexpected RCODE resolving 'pds.ess.apple.com/TYPE65/IN': 208.67.222.222#53
Nov  9 23:49:06 janus named[1050]: REFUSED unexpected RCODE resolving 'pds.ess-apple.com.akadns.net/TYPE65/IN': 208.67.222.222#53
Nov  9 23:50:00 janus named[1050]: REFUSED unexpected RCODE resolving 'f.ssl.fastly.net/TYPE65/IN': 208.67.222.222#53
Nov  9 23:51:46 janus named[1050]: REFUSED unexpected RCODE resolving 'www.camiocw.com/TYPE65/IN': 208.67.222.222#53
...

I suspect ALL of my queries to OpenDNS are failing.  Can anyone suggest what is wrong?

Here is the forwarders section of my named.conf

    forward first;
    forwarders {
        1.1.1.1;
        1.0.0.1;
        208.67.222.222;
        208.67.220.220;
    };
    allow-transfer { none; };
    allow-query { 127.0.0.1; 192.168.10.0/24; };
    allow-recursion { 127.0.0.1; 192.168.10.0/24; };

 

0

• 

  rotblitz November 10, 2020 23:27 (Edited November 10, 2020 23:29)

  OpenDNS seems to refuse type 65 (https binding) queries. What do you need it for, i.e. what app in your network utilizes this record type?

  An no, all other query types seem to work, just not type 65.

  You may want to open a support ticket.

  0

  Comment actions Permalink
• 

  jhg6308 November 11, 2020 00:58

  Traced it to one host on my wireless network - an iPad Pro that was just updated from iOS 13.7 to iOS 14.2. 

  So it seems iOS 14 is issuing Type 65 (HTTPS) requests now.

  Does OpenDNS have any plans to support this RR type?

  0

  Comment actions Permalink
• 

  jhg6308 November 11, 2020 01:06

  I guess I should probably ask a separate question.

  0

  Comment actions Permalink
• 

  rotblitz November 12, 2020 13:33

  This behavior is intended.

  From https://support.opendns.com/hc/en-us/articles/360049861971-DNS-Resolver-Selection-in-iOS-14-and-macOS-11

  Encrypted resolvers designated by domain owners
  The owner of a DNS zone will be able to designate a specific resolver to be used for resolving its zone. In iOS 14 and macOS 11, only DoH resolvers can be designated. This designation is made using a dedicated DNS record type (type 65, named “HTTPS”), and validated either by DNSSEC or well known URIs.

  As such designations would result in queries bypassing OpenDNS, the OpenDNS resolvers return a REFUSED response for queries for the HTTPS DNS record type, meaning that such designations would not be discovered.

  0

  Comment actions Permalink
• 

  jhg6308 November 12, 2020 18:51

  Ah, that explains it, thanks.

  For anyone interested who's running ISC bind, to avoid getting these errors in your logs you can disable the "lame-servers" category in the "logging" section of named.conf

  logging {
          category lame-servers { null; };
          ...
  };

  This works fine for someone like me, who's running a forwarder and doesn't care about lame-server logging.  If you do care you could always direct the lame-servers category to a separate file with automatic history rollover.

  1

  Comment actions Permalink

Please sign in to leave a comment.