0

How does NextDNS handle type 65 requests?

Apparently "type 65" requests can by bypass configured DNS services.

OpenDNS blocks them.

How does NextDNS handle these requests?

4 replies

null
    • Calvin_Hobbes
    • 1 yr ago
    • Reported - view

    Answers them?

    • NextDNs
    • 1 yr ago
    • Reported - view

    The new HTTPS DNS record (type 65) is meant to become the new standard way of discovering  HTTP protocol version and security features supported by the target server. It was introduced by Apple in iOS 14 and macOS 11.

    This version of their OS also introduced native DoH and DoT support, system wide by profile (that we adopted on day one) and optionally on a per app basis when encrypted DNS is not enabled system wide.

    The per domain DNS selection described by OpenDNS in this document is not documented by Apple (or it us very well hidden) and we never had any clue of such escape mechanism exploited in the wild if it existed. It is only the only reference we could find of such DNS selection.

    Our theory here is that OpenDNS implemented the wide blocking of HTTPS(type 65) DNS queries based on speculation at the time this version of the Apple OSs was about to be released. They probably never validated those speculations and left the block active.

    We do block this query type on blocked domains the same way as other query types, but we not block it for non-blocked traffic. Doing so would break the standard and potentially degrade performance and impede some future security features like ECH.

      • iOS Developer
      • Rob
      • 1 yr ago
      • Reported - view

      I got curious after I saw this update to Diversion, a shell script for ad-blocking on my ASUS router (which I stopped using when I started using NextDNS):

      What's new in Diversion 4.3.1

      • Adds option to block type 65 queries in tb using iptables.

      iOS 14 and newer, as well as a growing number of apps or devices use the type 65 query.

      Dnsmasq currently has no option to suppress or specifically handle these types of queries and therefore circumvent Diversion ad-blocking.

      So it’s not smart to block them all?

      • NextDNs
      • 1 yr ago
      • Reported - view

      Rob it is not smart to block those queries on non-blocked domains. It would be similar to blindly blocking AAAA queries.

Content aside

  • 1 yr agoLast active
  • 4Replies
  • 1031Views
  • 3 Following