DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

'Unknown DNS query type' meaning in firewall syslog

  • craigski
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
06 Jan 2022 12:30 #100366 by craigski
'Unknown DNS query type' meaning in firewall syslog was created by craigski
Just curious:

I'm seeing following in firewall syslog on a 2927 running 4.3.2, I don't understand what a 'Unknown DNS query type' means?

Code:
2022-01-06 12:17:09 [Pass][Unknown DNS query type][Hostname=play.itunes.apple.com] 2022-01-06 12:11:53 [Pass][Unknown DNS query type][Hostname=gateway.icloud.com] 2022-01-06 12:01:58 [Pass][Unknown DNS query type][Hostname=init-p01md.apple.com] 2022-01-06 11:53:33 [Pass][Unknown DNS query type][Hostname=configuration.apple.com.akadns.net]


The 2927 is running default data filter rule, no additional rules added.

Please Log in or Create an account to join the conversation.

More
06 Jan 2022 21:14 #100371 by hornbyp
Replied by hornbyp on topic Re: 'Unknown DNS query type' meaning in firewall syslog
I suppose you could say, that if the 'caching proxy' in the 2927 has really seen a DNS query of type "Hostname", then it's true, it is "unknown" :wink: .

(S/be something like: A,CNAME,MX,NS,PTR etc.)

The questions would then be, what had issued such a query? and why does the 2927 feel the need to log it?

(If it's a Firewall condition, then which rule triggered it - that information is (unusually) absent from the syslog data)

Please Log in or Create an account to join the conversation.

More
07 Jan 2022 08:22 #100376 by piste basher
Replied by piste basher on topic Re: 'Unknown DNS query type' meaning in firewall syslog
Upon reading this post I turned on the "Firewall" option in my Syslog (2927ac)

The log is full of entries such as [Pass][Unknown DNS query type][Hostname=update.qnap.com] , [Pass][Unknown DNS query type][Hostname=itunes-cdn.itunes-apple.com.akadns.net] etc etc etc

There are no entries other than these.

It's a mystery to me :?

Please Log in or Create an account to join the conversation.

More
07 Jan 2022 15:12 #100381 by hornbyp
Replied by hornbyp on topic Re: 'Unknown DNS query type' meaning in firewall syslog
Time for a spot of Wireshark'ing then :D

Please Log in or Create an account to join the conversation.

  • craigski
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
07 Jan 2022 15:18 #100382 by craigski
Replied by craigski on topic Re: 'Unknown DNS query type' meaning in firewall syslog
The syslog is not showing the source IP, but it seems as they are mostly apple.com domains, the DNS requests are from an apple device.

Maybe I will open a ticket if no one on here knows, and report back.

Please Log in or Create an account to join the conversation.

More
08 Jan 2022 09:14 #100393 by piste basher
Replied by piste basher on topic Re: 'Unknown DNS query type' meaning in firewall syslog
Whilst many of mine are Apple domains, I have attributed that simply to the fact that I have 6 Apple devices that are "phoning home" and are effectively on all the time.

Amongst the others are Kaspersky, Alexa/amazon, Qnap, time.windows.com etc.

There are also quite a few with no domain at all - [Pass][Unknown DNS query type][Hostname=]

A quick Google spotted two other users, one Dutch and one Greek, reporting the same thing on various Draytek routers, but with no explanation.

Is the fact that there are never any entries for "Known DNS query type" a clue?

Or, to put it another way, how is it even possible for an "Unknown DNS query type" to exist? As I understand it there are only 2 or 3 types of DNS query. What type of query is an "unknown unknown" to the firewall?

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami