About DNS Resource Record type 65 (SVCB HTTPS)

The IETF has drafted a proposed standard in the Domain Name System for Service binding and parameter specification via the DNS (DNS SVCB and HTTPS RRs).

Apple has started to use this feature since iOS14 for sites and services already using it to speed up initial connections to https-based sites and services.

An unintended consequence is that this approach bypasses DNS-based filtering.

In order to keep DNS filtering leakproof, Type 65 queries are simply responded with an empty reply. If and when this is a finalized standard, we will investigate adding this feature, provided it can keep adam:ONE® DNS filtering leakproof.

At a terminal behind adam:ONE®, if you run dig q=Type65 www.apple.com, you will see this an empty reply and in your live log Rule Applied column:

System | HTTPS (type 65) is a draft RFC query that is not yet standardized

If you’re troubleshooting using the live-log, you will observe these entries as commonplace coming from iOS 14+ devices.