Lots and lots of "REFUSED unexpected RCODE"

jhg6308 · ‎11-10-2020

I have a caching forwarder for a small home network, running bind-9.11.13-6.el8_2.1.x86_64 on CentOS 8.

I get about 1200 or so of these messages a day in my logs, with no particular time of day when they do or do not occur:

...
Nov  9 23:48:49 janus named[1050]: REFUSED unexpected RCODE resolving 'mesu.apple.com/TYPE65/IN': 208.67.222.222#53
Nov  9 23:48:49 janus named[1050]: REFUSED unexpected RCODE resolving 'gateway.fe.apple-dns.net/TYPE65/IN': 208.67.222.222#53
Nov  9 23:48:49 janus named[1050]: REFUSED unexpected RCODE resolving 'mesu.g.aaplimg.com/TYPE65/IN': 208.67.222.222#53
Nov  9 23:48:51 janus named[1050]: REFUSED unexpected RCODE resolving 'guzzoni-apple-com.v.aaplimg.com/TYPE65/IN': 208.67.222.222#53
Nov  9 23:49:06 janus named[1050]: REFUSED unexpected RCODE resolving 'pds.ess.apple.com/TYPE65/IN': 208.67.222.222#53
Nov  9 23:49:06 janus named[1050]: REFUSED unexpected RCODE resolving 'pds.ess-apple.com.akadns.net/TYPE65/IN': 208.67.222.222#53
Nov  9 23:50:00 janus named[1050]: REFUSED unexpected RCODE resolving 'f.ssl.fastly.net/TYPE65/IN': 208.67.222.222#53
Nov  9 23:51:46 janus named[1050]: REFUSED unexpected RCODE resolving 'www.camiocw.com/TYPE65/IN': 208.67.222.222#53
...

I suspect ALL of my queries to OpenDNS are failing. Can anyone suggest what is wrong?

Here is the forwarders section of my named.conf

    forward first;
    forwarders {
        1.1.1.1;
        1.0.0.1;
        208.67.222.222;
        208.67.220.220;
    };
    allow-transfer { none; };
    allow-query { 127.0.0.1; 192.168.10.0/24; };
    allow-recursion { 127.0.0.1; 192.168.10.0/24; };

rotblitz · ‎11-10-2020

OpenDNS seems to refuse type 65 (https binding) queries. What do you need it for, i.e. what app in your network utilizes this record type?

An no, all other query types seem to work, just not type 65.

You may want to open a support ticket.

jhg6308 · ‎11-10-2020

Traced it to one host on my wireless network - an iPad Pro that was just updated from iOS 13.7 to iOS 14.2.

So it seems iOS 14 is issuing Type 65 (HTTPS) requests now.

Does OpenDNS have any plans to support this RR type?

jhg6308 · ‎11-10-2020

I guess I should probably ask a separate question.

rotblitz · ‎11-12-2020

This behavior is intended.

From https://support.opendns.com/hc/en-us/articles/360049861971-DNS-Resolver-Selection-in-iOS-14-and-macOS-11

Encrypted resolvers designated by domain owners
The owner of a DNS zone will be able to designate a specific resolver to be used for resolving its zone. In iOS 14 and macOS 11, only DoH resolvers can be designated. This designation is made using a dedicated DNS record type (type 65, named “HTTPS”), and validated either by DNSSEC or well known URIs.

As such designations would result in queries bypassing OpenDNS, the OpenDNS resolvers return a REFUSED response for queries for the HTTPS DNS record type, meaning that such designations would not be discovered.

jhg6308 · ‎11-12-2020

Ah, that explains it, thanks.

For anyone interested who's running ISC bind, to avoid getting these errors in your logs you can disable the "lame-servers" category in the "logging" section of named.conf

logging {
        category lame-servers { null; };
        ...
};

This works fine for someone like me, who's running a forwarder and doesn't care about lame-server logging. If you do care you could always direct the lame-servers category to a separate file with automatic history rollover.