Lots and lots of "REFUSED unexpected RCODE"

Comments

5 comments

  • Avatar
    jhg6308

    Ah, that explains it, thanks.

    For anyone interested who's running ISC bind, to avoid getting these errors in your logs you can disable the "lame-servers" category in the "logging" section of named.conf

    logging {
            category lame-servers { null; };
    ...
    };

    This works fine for someone like me, who's running a forwarder and doesn't care about lame-server logging.  If you do care you could always direct the lame-servers category to a separate file with automatic history rollover.

    1
    Comment actions Permalink
  • Avatar
    rotblitz (Edited )

    OpenDNS seems to refuse type 65 (https binding) queries. What do you need it for, i.e. what app in your network utilizes this record type?

    An no, all other query types seem to work, just not type 65.

    You may want to open a support ticket.

    0
    Comment actions Permalink
  • Avatar
    jhg6308

    Traced it to one host on my wireless network - an iPad Pro that was just updated from iOS 13.7 to iOS 14.2. 

    So it seems iOS 14 is issuing Type 65 (HTTPS) requests now.

    Does OpenDNS have any plans to support this RR type?

    0
    Comment actions Permalink
  • Avatar
    jhg6308

    I guess I should probably ask a separate question.

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    This behavior is intended.

    From https://support.opendns.com/hc/en-us/articles/360049861971-DNS-Resolver-Selection-in-iOS-14-and-macOS-11

    Encrypted resolvers designated by domain owners
    The owner of a DNS zone will be able to designate a specific resolver to be used for resolving its zone. In iOS 14 and macOS 11, only DoH resolvers can be designated. This designation is made using a dedicated DNS record type (type 65, named “HTTPS”), and validated either by DNSSEC or well known URIs.

    As such designations would result in queries bypassing OpenDNS, the OpenDNS resolvers return a REFUSED response for queries for the HTTPS DNS record type, meaning that such designations would not be discovered.

    0
    Comment actions Permalink

Please sign in to leave a comment.