What is query[type=65479] in the logs?

ddribin · June 25, 2020, 11:35pm

Hi all,

I added some a regex to block lists, but they still seem to be coming through. So I took a look at /var/log/pihole.log and found this:

Jun 25 17:51:06 dnsmasq[29440]: query[A] libs.outbrain.com from 192.168.1.203
Jun 25 17:51:06 dnsmasq[29440]: gravity blocked libs.outbrain.com is 0.0.0.0
Jun 25 17:51:06 dnsmasq[29440]: query[type=65479] libs.outbrain.com from 192.168.1.203
Jun 25 17:51:06 dnsmasq[29440]: forwarded libs.outbrain.com to 192.168.1.1

The regex is (\.|^)outbrain\.com$. It seems to be blocking the A query as expected, but then this odd type=65479 is let through? What does this type mean? I don't see it listed here:

List of DNS record types - Wikipedia

I'm running:

$ pihole -v
  Pi-hole version is v5.0 (Latest: v5.0)
  AdminLTE version is v5.0 (Latest: v5.0)
  FTL version is v5.0 (Latest: v5.0)

Thanks,

-Dave

Bucking_Horn · June 26, 2020, 7:27am

IANA has reserved RR type definitions in the range 0xFF00 through 0xFFFE as Reserved for Private Use (see RFC 6895). In addition, RFC 5226 details Private Use to mean both "the type and purpose defined by the local site".

As a type of 65479 would fall right into that range, it would seem that only outbrain.com would be able to answer your question.

With regards to your inquiry towards why this is not blocked when an A record is, I'd have to pass that question to the developers, as I am not aware how pihole-FTL deals with private use RR types.

ddribin · June 26, 2020, 3:29pm

Interesting. I've grabbed a packet trace with tcpdump and I suspect they they are using this to bypass DNS blackholes like Pi-hole.

Here's the blocked lookup:

And here's the lookup using type=65479:

Seems like Pi-hole should at least have an option to block all DNS query types?

jfb · June 26, 2020, 3:44pm

Who is "they"? Are these DNS queries originating from a browser or an app?

ddribin · June 26, 2020, 9:26pm

A browser. These come from articles on https://www.politico.com/ in Safari desktop. So presumably some JavaScript? Can JS even do custom DNS lookups?

jfb · June 26, 2020, 9:33pm

I don't know. You can use developer mode (code inspector) to see the Javascript that the site is loading.

DL6ER · June 28, 2020, 2:29pm

I don't think this can be used to bypass Pi-hole blocking as this does not contain any valid information.

A query to images.outbrainimg.com with type=65479 results in three replies because CNAME replies are always sent:

Answer Records : 3 
CNAME images.outbrainimg.com ---> images.outbrain.org
CNAME images.outbrain.org ---> wildcard.outbrainimg.com.edgekey.net
CNAME wildcard.outbrainimg.com.edgekey.net ---> e15144.d.akamaiedge.net

however, there is not information contained that could be used to actually access this page (IP address).

This is caused by e15144.d.akamaiedge.net lacking any type=65479 records. Hence, I don't think this can be used to bypass Pi-hole. We block only a limited number of types where we know what the correct reply is to:

A
AAAA
ANY
SRV
SOA
PTR
TXT
NAPTR

However, I do not see any reason to not block the other types as well. We can just reply NOERROR with an empty answers section. Stay tuned...

DL6ER · June 28, 2020, 6:11pm

github.com/pi-hole/FTL

Add support for additional query types

pi-hole:development ← pi-hole:new/more_query_types

opened 06:04PM - 28 Jun 20 UTC

DL6ER

+68 -36

**By submitting this pull request, I confirm the following:** - [X] I have re…ad and understood the [contributors guide](https://github.com/pi-hole/pi-hole/blob/master/CONTRIBUTING.md). - [X] I have checked that [another pull request](https://github.com/pi-hole/FTL/pulls) for this purpose does not exist. - [X] I have considered, and confirmed that this submission will be valuable to others. - [X] I accept that this submission may not be used, and the pull request closed at the will of the maintainer. - [X] I give this submission freely, and claim no ownership to its content. **How familiar are you with the codebase?:** ## 10 --- Add support for additional query types. This also implements support for blocking for **all** query types instead of the subset we supported blocking for in v5.0 We already supported: - `A`, - `AAAA`, - `ANY`, - `SRV`, - `SOA`, - `PTR`, - `TXT`, - `NAPTR` New: - `MX`, - `DS`, - `RRSIG`, - `DNSKEY`, and - `OTHER` (summing up all other possible DNS types)

This will add support for blocking all query types.

ddribin · June 29, 2020, 7:08pm

It turns out this was coming from a machine running a pre-release version of the upcoming macOS Big Sur:

macOS 14 - Apple Developer

As part if its Encrypted DNS adoption:

Enable encrypted DNS - WWDC20 - Videos - Apple Developer
Build trust through better privacy - WWDC20 - Videos - Apple Developer

It is using new RR types for SVCB and HTTPS (née HTTPSSVC) for encrypted DNS discovery:

draft-ietf-dnsop-svcb-https-00

This RFC, which is not yet a standard, is being worked on at GitHub at, and there's a document about prototype implementations:

dns-alt-svc/httpssvc-implementations.md at 9a3311b91969b2aabb83f444a6fa74e9d640fcd0 · MikeBishop/dns-alt-svc · GitHub

Which mentions query type 65479:

At least one of these is using TYPE65479 so that may make sense to use for private testing until a assignment is made.

Note that wire format and behavior changes are still being made so HTTPSSVC should not be used for production purposes.

-Dave

DL6ER · June 29, 2020, 7:25pm

Hey Dave,

thanks for your additional research. The PR has been merged so all-type blocking will come with Pi-hole v5.1.

ddribin · June 29, 2020, 7:38pm

Great, thank you!

system · July 20, 2020, 7:38pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.