iOS 14 issuing Type 65 RR (HTTPS) requests, which OpenDNS does not handle.

jhg6308 · ‎11-10-2020

After upgrading my iPad from iOS 13.7 to 14.2, I find my caching forwarder logs flooded with:

Nov 10 16:28:09 janus named[1050]: REFUSED unexpected RCODE resolving 'ocsp.g.aaplimg.com/TYPE65/IN': 208.67.222.222#53
Nov 10 16:28:09 janus named[1050]: REFUSED unexpected RCODE resolving 'ocsp.g.aaplimg.com/TYPE65/IN': 208.67.220.220#53
Nov 10 16:28:09 janus named[1050]: REFUSED unexpected RCODE resolving 'ocsp.g.aaplimg.com/TYPE65/IN': 208.67.222.222#53

At a rate of about 1000/day.

Does OpenDNS have any plans to support HTTPS RR requests? Other open DNS services return zero answers but don't cause an error to be logged.

rotblitz · ‎11-11-2020

Staff do not respond here. You must raise a support ticket, link “Submit a request” above.

Until then, you simply ignore these errors. They don’t seem to have any impact yet. Akamai have recently introduced this RR type, and iOS 14 utilizes it.

rotblitz · ‎11-12-2020

This behavior is intended.

From https://support.opendns.com/hc/en-us/articles/360049861971-DNS-Resolver-Selection-in-iOS-14-and-macOS-11

Encrypted resolvers designated by domain owners
The owner of a DNS zone will be able to designate a specific resolver to be used for resolving its zone. In iOS 14 and macOS 11, only DoH resolvers can be designated. This designation is made using a dedicated DNS record type (type 65, named “HTTPS”), and validated either by DNSSEC or well known URIs.

As such designations would result in queries bypassing OpenDNS, the OpenDNS resolvers return a REFUSED response for queries for the HTTPS DNS record type, meaning that such designations would not be discovered.