1.0.0.1 OK but high % of queries to 1.1.1.1 fail

I’m in the UK, with two ISPs (Zen and Virgin) behind an EdgeRouter doing load balancing, and both ipv6 and ipv4 enabled. (Ipv6 only goes out over Zen)

Previous setup was with Google v4 and v6 DNS servers. When I substitute Cloudflare I get a large % of queries failing on 1.1.1.1 (e.g. as tested by namebench) but 1.0.0.1, whilst slowish is working OK.

Attempts at investigating so far:

  1. Both consistently pingable
  2. Traceroutes look quite different
  3. dig @ 1.1.1.1sometimes fails, while dig @ 1.0.0.1 is consistent.
  4. When I do dig -c CH -t txt id.server +short @1.1.1.1 I get “lhr01” (when I get a response at all) but dig -c CH -t txt id.server +short @1.0.0.1 consistently gives “man01”

Outputs for 1, 2 and 3 below. Any thoughts on what this means or what to try next gratefully received. Am fascinated by Cloudflare doing something really different with public resolvers.


PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=62 time=12.332 ms
64 bytes from 1.1.1.1: icmp_seq=1 ttl=62 time=11.709 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=62 time=10.137 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=62 time=24.604 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=62 time=14.434 ms

PING 1.0.0.1 (1.0.0.1): 56 data bytes
64 bytes from 1.0.0.1: icmp_seq=0 ttl=59 time=8.282 ms
64 bytes from 1.0.0.1: icmp_seq=1 ttl=59 time=8.664 ms
64 bytes from 1.0.0.1: icmp_seq=2 ttl=59 time=8.329 ms
64 bytes from 1.0.0.1: icmp_seq=3 ttl=59 time=6.860 ms
64 bytes from 1.0.0.1: icmp_seq=4 ttl=59 time=9.212 ms

Traecroute to 1.1.1.1 usually gives:

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets

1 192.168.1.1 (192.168.1.1) 3.347 ms 1.162 ms 1.044 ms
2 losubs.subs.bng2.th-lon.zen.net.uk (62.3.80.21) 6.505 ms 8.057 ms
10.86.240.1 (10.86.240.1) 9.146 ms
3 ae1-182.cr1.th-lon.zen.net.uk (62.3.86.80) 6.751 ms
1dot1dot1dot1.Cloudflare-dns.com (1.1.1.1) 27.110 ms 121.195 ms

But sometimes:

traceroute to 1.1.1.1 (1.1.1.1), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 3.149 ms 1.127 ms 1.077 ms
2 10.86.240.1 (10.86.240.1) 14.591 ms 11.090 ms 9.977 ms
3 ae1-182.cr1.th-lon.zen.net.uk (62.3.86.80) 6.634 ms 6.536 ms 6.779 ms
4 * * ae0-0.br2.th-lon.zen.net.uk (62.3.80.42) 9.862 ms
5 * linx-lon1.as13335.net (195.66.225.179) 8.583 ms 7.227 ms
6 * * 1dot1dot1dot1.Cloudflare-dns.com (1.1.1.1) 8.716 ms

Where trace route 1.0.0.1 gives:

traceroute to 1.0.0.1 (1.0.0.1), 64 hops max, 52 byte packets

1 192.168.1.1 (192.168.1.1) 3.062 ms 1.463 ms 1.045 ms
2 10.86.240.1 (10.86.240.1) 12.514 ms
losubs.subs.bng2.th-lon.zen.net.uk (62.3.80.21) 6.360 ms 6.320 ms
3 ae1-182.cr1.th-lon.zen.net.uk (62.3.86.80) 6.758 ms
brnt-core-2a-xe-805-0.network.virginmedia.net (62.253.64.205) 20.262 ms
ae1-182.cr1.th-lon.zen.net.uk (62.3.86.80) 6.577 ms
4 ae0-0.br2.th-lon.zen.net.uk (62.3.80.42) 6.887 ms 6.646 ms 6.756 ms
5 linx-lon1.as13335.net (195.66.225.179) 6.956 ms * *
6 1dot1dot1dot1.Cloudflare-dns.com (1.0.0.1) 8.588 ms 6.966 ms *

When it fails for dig @1.1.1.1

; <<>> DiG 9.10.6 <<>> @1.1.1.1
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

When it works, moments later

; <<>> DiG 9.10.6 <<>> @1.1.1.1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65011
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 3424 IN NS a.root-servers.net.
. 3424 IN NS b.root-servers.net.
. 3424 IN NS c.root-servers.net.
. 3424 IN NS d.root-servers.net.
. 3424 IN NS e.root-servers.net.
. 3424 IN NS f.root-servers.net.
. 3424 IN NS g.root-servers.net.
. 3424 IN NS h.root-servers.net.
. 3424 IN NS i.root-servers.net.
. 3424 IN NS j.root-servers.net.
. 3424 IN NS k.root-servers.net.
. 3424 IN NS l.root-servers.net.
. 3424 IN NS m.root-servers.net.

;; Query time: 73 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Fri Apr 06 07:36:54 BST 2018
;; MSG SIZE rcvd: 431

whereas dig @ 1.0.0.1 is consistent

; <<>> DiG 9.10.6 <<>> @1.0.0.1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24395
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 3374 IN NS a.root-servers.net.
. 3374 IN NS b.root-servers.net.
. 3374 IN NS c.root-servers.net.
. 3374 IN NS d.root-servers.net.
. 3374 IN NS e.root-servers.net.
. 3374 IN NS f.root-servers.net.
. 3374 IN NS g.root-servers.net.
. 3374 IN NS h.root-servers.net.
. 3374 IN NS i.root-servers.net.
. 3374 IN NS j.root-servers.net.
. 3374 IN NS k.root-servers.net.
. 3374 IN NS l.root-servers.net.
. 3374 IN NS m.root-servers.net.

;; Query time: 76 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Fri Apr 06 07:37:44 BST 2018
;; MSG SIZE rcvd: 431