What is query[type=65479] in the logs?

Hi all,

I added some a regex to block lists, but they still seem to be coming through. So I took a look at /var/log/pihole.log and found this:

Jun 25 17:51:06 dnsmasq[29440]: query[A] libs.outbrain.com from 192.168.1.203
Jun 25 17:51:06 dnsmasq[29440]: gravity blocked libs.outbrain.com is 0.0.0.0
Jun 25 17:51:06 dnsmasq[29440]: query[type=65479] libs.outbrain.com from 192.168.1.203
Jun 25 17:51:06 dnsmasq[29440]: forwarded libs.outbrain.com to 192.168.1.1

The regex is (\.|^)outbrain\.com$. It seems to be blocking the A query as expected, but then this odd type=65479 is let through? What does this type mean? I don't see it listed here:

https://en.wikipedia.org/wiki/List_of_DNS_record_types

I'm running:

$ pihole -v
  Pi-hole version is v5.0 (Latest: v5.0)
  AdminLTE version is v5.0 (Latest: v5.0)
  FTL version is v5.0 (Latest: v5.0)

Thanks,

-Dave

IANA has reserved RR type definitions in the range 0xFF00 through 0xFFFE as Reserved for Private Use (see RFC 6895). In addition, RFC 5226 details Private Use to mean both "the type and purpose defined by the local site".

As a type of 65479 would fall right into that range, it would seem that only outbrain.com would be able to answer your question.

With regards to your inquiry towards why this is not blocked when an A record is, I'd have to pass that question to the developers, as I am not aware how pihole-FTL deals with private use RR types.

1 Like

Interesting. I've grabbed a packet trace with tcpdump and I suspect they they are using this to bypass DNS blackholes like Pi-hole.

Here's the blocked lookup:

And here's the lookup using type=65479:

Seems like Pi-hole should at least have an option to block all DNS query types?

Who is "they"? Are these DNS queries originating from a browser or an app?

A browser. These come from articles on https://www.politico.com/ in Safari desktop. So presumably some JavaScript? Can JS even do custom DNS lookups?

I don't know. You can use developer mode (code inspector) to see the Javascript that the site is loading.

I don't think this can be used to bypass Pi-hole blocking as this does not contain any valid information.

A query to images.outbrainimg.com with type=65479 results in three replies because CNAME replies are always sent:

Answer Records : 3 
CNAME images.outbrainimg.com ---> images.outbrain.org
CNAME images.outbrain.org ---> wildcard.outbrainimg.com.edgekey.net
CNAME wildcard.outbrainimg.com.edgekey.net ---> e15144.d.akamaiedge.net

however, there is not information contained that could be used to actually access this page (IP address).

This is caused by e15144.d.akamaiedge.net lacking any type=65479 records. Hence, I don't think this can be used to bypass Pi-hole. We block only a limited number of types where we know what the correct reply is to:

  • A
  • AAAA
  • ANY
  • SRV
  • SOA
  • PTR
  • TXT
  • NAPTR

However, I do not see any reason to not block the other types as well. We can just reply NOERROR with an empty answers section. Stay tuned...

This will add support for blocking all query types.

It turns out this was coming from a machine running a pre-release version of the upcoming macOS Big Sur:

https://developer.apple.com/macos/

As part if its Encrypted DNS adoption:

https://developer.apple.com/videos/play/wwdc2020/10047
https://developer.apple.com/videos/play/wwdc2020/10676

It is using new RR types for SVCB and HTTPS (née HTTPSSVC) for encrypted DNS discovery:

https://tools.ietf.org/html/draft-ietf-dnsop-svcb-https-00

This RFC, which is not yet a standard, is being worked on at GitHub at, and there's a document about prototype implementations:

https://github.com/MikeBishop/dns-alt-svc/blob/9a3311b91969b2aabb83f444a6fa74e9d640fcd0/httpssvc-implementations.md

Which mentions query type 65479:

At least one of these is using TYPE65479 so that may make sense to use for private testing until a assignment is made.

Note that wire format and behavior changes are still being made so HTTPSSVC should not be used for production purposes.

-Dave

Hey Dave,

thanks for your additional research. The PR has been merged so all-type blocking will come with Pi-hole v5.1.

1 Like

Great, thank you!