iOS 14 issuing Type 65 RR (HTTPS) requests, which OpenDNS does not handle.

Follow

jhg6308

November 11, 2020 01:09

After upgrading my iPad from iOS 13.7 to 14.2, I find my caching forwarder logs flooded with:

Nov 10 16:28:09 janus named[1050]: REFUSED unexpected RCODE resolving 'ocsp.g.aaplimg.com/TYPE65/IN': 208.67.222.222#53
Nov 10 16:28:09 janus named[1050]: REFUSED unexpected RCODE resolving 'ocsp.g.aaplimg.com/TYPE65/IN': 208.67.220.220#53
Nov 10 16:28:09 janus named[1050]: REFUSED unexpected RCODE resolving 'ocsp.g.aaplimg.com/TYPE65/IN': 208.67.222.222#53

At a rate of about 1000/day.

Does OpenDNS have any plans to support HTTPS RR requests?  Other open DNS services return zero answers but don't cause an error to be logged.

 

 

0

• 

  rotblitz November 11, 2020 09:35 (Edited November 11, 2020 09:47)

  Staff do not respond here. You must raise a support ticket, link “Submit a request” above.

  Until then, you simply ignore these errors. They don’t seem to have any impact yet. Akamai have recently introduced this RR type, and iOS 14 utilizes it.

  0

  Comment actions Permalink
• 

  rotblitz November 12, 2020 13:35

  This behavior is intended.

  From https://support.opendns.com/hc/en-us/articles/360049861971-DNS-Resolver-Selection-in-iOS-14-and-macOS-11

  Encrypted resolvers designated by domain owners
  The owner of a DNS zone will be able to designate a specific resolver to be used for resolving its zone. In iOS 14 and macOS 11, only DoH resolvers can be designated. This designation is made using a dedicated DNS record type (type 65, named “HTTPS”), and validated either by DNSSEC or well known URIs.

  As such designations would result in queries bypassing OpenDNS, the OpenDNS resolvers return a REFUSED response for queries for the HTTPS DNS record type, meaning that such designations would not be discovered.

  0

  Comment actions Permalink

Please sign in to leave a comment.