How does NextDNS handle type 65 requests?

The new HTTPS DNS record (type 65) is meant to become the new standard way of discovering  HTTP protocol version and security features supported by the target server. It was introduced by Apple in iOS 14 and macOS 11.

This version of their OS also introduced native DoH and DoT support, system wide by profile (that we adopted on day one) and optionally on a per app basis when encrypted DNS is not enabled system wide.

The per domain DNS selection described by OpenDNS in this document is not documented by Apple (or it us very well hidden) and we never had any clue of such escape mechanism exploited in the wild if it existed. It is only the only reference we could find of such DNS selection.

Our theory here is that OpenDNS implemented the wide blocking of HTTPS(type 65) DNS queries based on speculation at the time this version of the Apple OSs was about to be released. They probably never validated those speculations and left the block active.

We do block this query type on blocked domains the same way as other query types, but we not block it for non-blocked traffic. Doing so would break the standard and potentially degrade performance and impede some future security features like ECH.