I have a found a few older posts on this topic but no real firm answer.

We have an internal Windows DNS server using 9.9.9.9 and 8.8.8.8 for forwarders and I have create two firewall rules, one to allow all DNS traffic (TCP&UPD 53) to these IP's and one to block everything else on TCP&UDP 53. I have enabled syslog only on the block rule (not on allow rule) but whilst monitoring the syslog I keep getting [Pass][Unknown DNS query type] entries? Any ideas?



Router is v3910 on firmware 3.9.6.3

I don't have an answer to this, except to say I see the same on my 2860 router. I use a Pi-Hole for my DNS and, much like you, have blocked all port 53 outgoing except for requests originated by the Pi-Hole [Android devices in particular seem to think it is their divine right to phone home and use 8.8.8.8 or 8.8.4.4 for DNS!].
Periodically it seems that a perfectly legitimate DNS request gets 'logged' exactly as you indicate. I can't say what triggers this as the router seems to sniff all DNS requests that pass through (as can be seen in web syslog type 'User') but for some reason certain domain names seem to appear more than others in the syslog [Pass][Unknown DNS query type].