[sdnog] DNS type46 & type65 problems

Samir Abdullatif samir.s.omer at hotmail.com
Thu Mar 24 13:35:02 SAST 2022 

Hi Sdnoggers

I wanted to share one of the DNS problems which is "relatively new", however. I'm starting to see more in my line of work.

With the release of iOS 14 and MacOS 11, apple devices started sending DNS requests as encrypted SVCB HTTPS requests (also known as type64 & type65) . since it's a relatively new feature the not all of internet (and specifically the DNS ecosystem) are aware of this capabilities, which can lead to problems in some scenarios

Scenario 1
you are managing a Recursive DNS which is not configured or not supporting type64/type65 requests in this scenario your users using apple products will face slight degradation in the service since the type64/65 request will fail and the device will then send another request but this time will use A and/or AAAA record. So for each resource it has to send two DNS requests.  Another point to consider also is that if you are doing any sort of DNS filtering or "Safe browsing" this also might not work as your  DNS server will fail to understand the type64/type65 and will forward it bypassing your filtering.

Scenario 2
type64/type65 is enabled on the recursive DNS, but the Authoritative DNS is misconfigured and/or cannot respond to type64/type65 requests either with NXRRSET (or even NXDOMAIN) instead it silently drops the requests, this will result in the recursive DNS retrying for multiple time to query the non responding authoritative server before finally replying to the user with SERVFAIL and depending on your configuration it might potentially blacklist the authoritative server IP for a given duration.

so if you are an DNS admin managing authoritative DNS make sure to configure your server to respond to these new types if possible.

for those interested to learn more they can read below article on the topic
https://community.akamai.com/customers/s/article/NetworkOperatorCommunityNewSVCBHTTPSResourceRecordsinthewild20201128135350?language=en_US

--
Samir
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sdnog.sd/pipermail/sdnog/attachments/20220324/070d5baa/attachment.htm>

More information about the sdnog mailing list