Just curious:

I'm seeing following in firewall syslog on a 2927 running 4.3.2, I don't understand what a 'Unknown DNS query type' means?

Code:

2022-01-06 12:17:09 [Pass][Unknown DNS query type][Hostname=play.itunes.apple.com] 2022-01-06 12:11:53 [Pass][Unknown DNS query type][Hostname=gateway.icloud.com] 2022-01-06 12:01:58 [Pass][Unknown DNS query type][Hostname=init-p01md.apple.com] 2022-01-06 11:53:33 [Pass][Unknown DNS query type][Hostname=configuration.apple.com.akadns.net]

The 2927 is running default data filter rule, no additional rules added.

I suppose you could say, that if the 'caching proxy' in the 2927 has really seen a DNS query of type "Hostname", then it's true, it is "unknown" :wink: .

(S/be something like: A,CNAME,MX,NS,PTR etc.)

The questions would then be, what had issued such a query? and why does the 2927 feel the need to log it?

(If it's a Firewall condition, then which rule triggered it - that information is (unusually) absent from the syslog data)

Upon reading this post I turned on the "Firewall" option in my Syslog (2927ac)

The log is full of entries such as [Pass][Unknown DNS query type][Hostname=update.qnap.com] , [Pass][Unknown DNS query type][Hostname=itunes-cdn.itunes-apple.com.akadns.net] etc etc etc

There are no entries other than these.

It's a mystery to me :?

Time for a spot of Wireshark'ing then

The syslog is not showing the source IP, but it seems as they are mostly apple.com domains, the DNS requests are from an apple device.

Maybe I will open a ticket if no one on here knows, and report back.

Whilst many of mine are Apple domains, I have attributed that simply to the fact that I have 6 Apple devices that are "phoning home" and are effectively on all the time.

Amongst the others are Kaspersky, Alexa/amazon, Qnap, time.windows.com etc.

There are also quite a few with no domain at all - [Pass][Unknown DNS query type][Hostname=]

A quick Google spotted two other users, one Dutch and one Greek, reporting the same thing on various Draytek routers, but with no explanation.

Is the fact that there are never any entries for "Known DNS query type" a clue?

Or, to put it another way, how is it even possible for an "Unknown DNS query type" to exist? As I understand it there are only 2 or 3 types of DNS query. What type of query is an "unknown unknown" to the firewall?