Announcement

Collapse
No announcement yet.

Flood of type 65 requests on LAN

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Flood of type 65 requests on LAN

    Hi,
    We're seeing a flood of log entries like these: RequestQueue.add, Blocked request type! domain = shftr.adnxs.net, type = 65, ip = 192.168.1.36. - on several clients on our lan pool. Some sites, even with their domain being whitelisted doesn't load on windows clients - >/= win8 clientSO. What can it be done to permit access?
    Thanks,

    Renato

  • #2
    It's blocked by NxFilter itself. It's an Apple feature. These devices attempt to bypass DNS filtering by using type 65, which essentially performs site-by-site DNS over HTTPS. Therefore, it should be blocked; otherwise, Apple devices could bypass your filtering.

    Maybe they didn’t consider the consequences of their actions. They probably just thought, “DoH is a new technology, and we implemented it first in the world,” without thinking about the problems it could cause for DNS filtering.

    I think we read somewhere that the appropriate response is to answer with a REFUSED code if you don't want them to bypass the filtering. So, NxFilter now responds with REFUSED.

    Do you see any actual problem with this, aside from the large number of log messages for blocked type 65 queries?

    Perhaps you should update it. In the newer version, it refuses these requests instead of blocking them.

    Comment


    • rsalles
      rsalles commented
      Editing a comment
      Do you see any actual problem with this, aside from the large number of log messages for blocked type 65 queries? Yes actually there is, the machines involved are bare-bone clients running windows 8 or newer and 2 proxmox VM's running Debian12 desktop, so, no Apple devices involved, all of them with DoH disabled on their browser - firefox & chrome. All what I get is a blank page... version of nxfilter is 4.7.0.7, no update available at this time
      Last edited by rsalles; 10-19-2024, 08:40 PM. Reason: inform version

  • #3
    Never heard of Windows sending type 65 queries. And the log message doesn't look from system blocking. Do you have something in 'DNS > Server Protection > Request Type Control'?

    Comment


    • #4
      root@nxfilter:~# tail -f /nxfilter/log/nxfilter.log | grep "type = 65"
      INFO [10-19 21:39:31] - RequestQueue.add, Blocked request type! domain = optimizationguide-pa.googleapis.com, type = 65,
      ip = 192.168.1.27.
      INFO [10-19 21:39:34] - RequestQueue.add, Blocked request type! domain = safebrowsing.googleapis.com, type = 65, ip = 19
      2.168.1.13.
      INFO [10-19 21:40:16] - RequestQueue.add, Blocked request type! domain = clientservices.googleapis.com, type = 65, ip =
      192.168.1.150.
      INFO [10-19 21:40:21] - RequestQueue.add, Blocked request type! domain = update.googleapis.com, type = 65, ip = 192.168.
      1.27.
      INFO [10-19 21:40:38] - RequestQueue.add, Blocked request type! domain = safebrowsing.googleapis.com, type = 65, ip = 19
      2.168.1.27.
      INFO [10-19 21:41:08] - RequestQueue.add, Blocked request type! domain = api-plugin-v1.zoom.com.br, type = 65, ip = 192.
      168.1.14.
      INFO [10-19 21:41:08] - RequestQueue.add, Blocked request type! domain = api-plugin-v1.zoom.com.br, type = 65, ip = 192.
      168.1.14.
      INFO [10-19 21:41:10] - RequestQueue.add, Blocked request type! domain = dns.google, type = 65, ip = 192.168.1.150.
      INFO [10-19 21:41:24] - RequestQueue.add, Blocked request type! domain = suporte.dominioatendimento.com, type = 65, ip =
      192.168.1.36.
      INFO [10-19 21:41:24] - RequestQueue.add, Blocked request type! domain = suporte.dominioatendimento.com, type = 65, ip =
      192.168.1.36.
      INFO [10-19 21:41:34] - RequestQueue.add, Blocked request type! domain = gc.kis.v2.scr.kaspersky-labs.com, type = 65, ip
      = 192.168.1.27.
      INFO [10-19 21:41:34] - RequestQueue.add, Blocked request type! domain = gc.kis.v2.scr.kaspersky-labs.com, type = 65, ip
      = 192.168.1.27.
      INFO [10-19 21:49:09] - RequestQueue.add, Blocked request type! domain = www.receita.fazenda.gov.br, type = 65, ip = 192
      .168.1.27.
      --------------------------------------

      Hi,
      Thanks you for your time,

      Same request type, several ip's on the lan, only windows and debian desktop clients.

      This page, for ex., doesn't load on any host connected to nxfilter: http://www.cdw.fazenda.pr.gov.br/cdw/

      We don't have a public ip on this location, as our servers are hosted on AWS, so, we don't need it. That's why I doubt a dns attack would possibly be involved,

      Thanks,

      Renato


      Comment


      • #5
        So, did you check with Request Type Control on your GUI?

        If it's form the blocking by NxFilter default settings, you should get message like 'RHr, REFUESD to Type 65, ..'.

        Comment


        • rsalles
          rsalles commented
          Editing a comment
          RequestType allowed at this moment: 1,28,5,6,12,2,15
          I tested adding 65 with no dif whatsoever, so, reverted.

      • #6
        Did you test NxFilter with Nslookup or Dig? Type 65 queries are not important for web browsing. You just need A type queries answered. Try Nslookup against NxFilter.

        Code:
        nslookup google.com nxfilter-ip
        Last edited by support200; 10-20-2024, 02:34 AM.

        Comment


        • rsalles
          rsalles commented
          Editing a comment
          root@zeus:/var/log/named# nslookup google.com 192.168.1.172
          Server: 192.168.1.172
          Address: 192.168.1.172#53

          Non-authoritative answer:
          Name: google.com
          Address: 172.217.30.46
          Name: google.com
          Address: 2800:3f0:4001:837::200e

          with dig -t SOA or NS or A the results are also ok
          Last edited by rsalles; 10-20-2024, 02:35 AM. Reason: ading info

      • #7
        When you allow some DNS types in Request Type Control, other types will be blocked and you get that block message.

        However, you don't need that type for using the internet. And Windows don't send that type of query. I tried to find some info about the type on Google but it's only about Apple devices.

        Even if you allow type 65 there, it will be blocked by NxFilter on another processing.

        Comment


        • support200
          support200 commented
          Editing a comment
          But the blocking method is a bit different. We answer it with REFUSED code. You can try to allow it.

      • #8
        On your PC, can you access google.com then?

        Comment


        • #9
          What was your problem exactly?

          1. Some of your PCs can't use the internet. They can't even load google.com on their browsers.

          2. All of your PCs can't use only the certain websites.

          3. Some of your PCs can't use only the certain websites.

          Which one is yours?

          Comment


          • rsalles
            rsalles commented
            Editing a comment
            Some pages doesn't load in any browser and any host, even if whitelisted and belonging to a category allowed by policy.
            If I bypass nxfilter using another dns server these pages load without problem.
            I'll investigate further during the week and come back later,

            Sds,

            Renato

          • support200
            support200 commented
            Editing a comment
            You could try to search your request log on 'Logging > Request' to see if there's any log related to the domain blocked. You also can monitor /nxfilter/log/nxfilter.log file using 'tail -F filename' to see if anything blocked when you try to access the page. And you can try Nslookup the domain from the PC in which such problem happening.
        Working...
        X