1.1.1.1 dns and abs.twimg.com

I am having issues with cloudflare dns on Istanbul server (IST) regarding domain abs.twimg.com
Cloudlfare dns sometimes gives the result as it should be but most of the times it gives status servfail.
I can resolve any other domains easly on cloudflare at that time so it is not about something is broken but cannot be able to acces twitter sometimes is disappointing.

Here is a dig request I made to cloudflare dns
image

Can reproduce from IST:

[email protected] ~ % dig @1.1.1.1 abs.twimg.com +nsid

; <<>> DiG 9.10.6 <<>> @1.1.1.1 abs.twimg.com +nsid
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46072
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; NSID: 31 38 39 6d 38 ("189m8")
; OPT=15: 00 16 ("..")
;; QUESTION SECTION:
;abs.twimg.com.			IN	A

;; Query time: 227 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Sep 27 10:19:06 CEST 2021
;; MSG SIZE  rcvd: 57

Works fine from AMS:

[email protected] ~ % dig @1.1.1.1 abs.twimg.com +nsid

; <<>> DiG 9.10.6 <<>> @1.1.1.1 abs.twimg.com +nsid
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60951
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; NSID: 32 30 6d 34 30 32 ("20m402")
;; QUESTION SECTION:
;abs.twimg.com.			IN	A

;; ANSWER SECTION:
abs.twimg.com.		90	IN	CNAME	cs510.wpc.edgecastcdn.net.
cs510.wpc.edgecastcdn.net. 3390	IN	A	152.199.21.141

;; Query time: 78 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Sep 27 10:20:50 CEST 2021
;; MSG SIZE  rcvd: 107

Due to the CNAME it’s possibly related to SERVFAIL for www.kyb.mpg.de - #7 by alexander.buchner. Perhaps the updates have not been propagated to IST yet.
@mvavrusa

Okay I’m getting some very interesting replies from IST. In 2014 TurkTelekom hijacked/masqueraded popular DNS resolvers including Google’s 8.8.8.8, so to be sure this is not affecting the replies directly to Cloudflare I used DoT.

[email protected] ~ % kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com abs.twimg.com +nsid
;; DEBUG: Querying for owner(abs.twimg.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 163 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: od9obscoXQND56/DikypZrJkXGvbQV5Y61QGfcNitHo=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG:      SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 30566
;; Flags: qr rd ra; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; NSID: 3138396D3936 "189m96"
;; EDE: 3 (Stale Answer)
;; EDE: 22 (No Reachable Authority)
;; PADDING: 342 B

;; QUESTION SECTION:
;; abs.twimg.com.      		IN	A

;; ANSWER SECTION:
abs.twimg.com.      	295	IN	CNAME	twimg.twitter.map.fastly.net.
twimg.twitter.map.fastly.net.	25	IN	A	199.232.136.159

;; Received 468 B
;; Time 2021-09-27 10:30:15 CEST
;; From [email protected](TCP) in 162.5 ms


[email protected] ~ % kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com abs.twimg.com +nsid
;; DEBUG: Querying for owner(abs.twimg.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 163 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: od9obscoXQND56/DikypZrJkXGvbQV5Y61QGfcNitHo=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG:      SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 48826
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; NSID: 3138396D3536 "189m56"
;; EDE: 0 (Other)
;; PADDING: 406 B

;; QUESTION SECTION:
;; abs.twimg.com.      		IN	A

;; Received 468 B
;; Time 2021-09-27 10:30:25 CEST
;; From [email protected](TCP) in 163.7 ms


[email protected] ~ % kdig -d @1.1.1.1 +tls-ca +tls-host=cloudflare-dns.com abs.twimg.com +nsid
;; DEBUG: Querying for owner(abs.twimg.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 163 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: od9obscoXQND56/DikypZrJkXGvbQV5Y61QGfcNitHo=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1
;; DEBUG:      SHA-256 PIN: e0IRz5Tio3GA1Xs4fUVWmH1xHDiH2dMbVtCBSkOIdqM=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; WARNING: TLS, peer took too long to respond
;; WARNING: can't receive reply from [email protected](TCP)
;; ERROR: failed to query server [email protected](TCP)

3 different replies in a row.

Also interesting to note, in Turkey abs.twimg.com. is a CNAME of twimg.twitter.map.fastly.net., however, in the rest of the 12 locations I’ve tested it points to cs510.wpc.edgecastcdn.net.. Something going on there.
Quad9 and Google in Turkey both resolve to cs510.wpc.edgecastcdn.net. too.

Yes, Istanbul server I am connected resolves to (if it really wants to) twimg.twitter.map.fastly.net, with approving dnssec, I don’t know what is going on with cloudflare on IST.
I asked my friend to dig twitter cdn whos living in same province as me but using a different ISP(I am using Türk Telekom but I always used DoH, he is using Millenicom, whos doesn’t block some vpn services some ISP block) than mine, he can easyly access abs.twimg.com. I asked him to spam to see if there is any servfail status and he said to me that he had no issues regarding that and his results always were CNAME cs510.wpc.edgecastcdn.net, that is something really interesting.
If there are some kind of load balancing servers based on isp and the one I am getting having update issues, I really hope cloudflare can fix that.

Yeah I know I didn’t used DoH while doing dig requests but what makes me do dig commands is pi-hole logs giving servfail to twitter using cloudflared DoH with long asking time to cloudflare. That is really upsetting for a person wanted to protect their online dns privacy via cloudflare.

Thanks @erdemh110 and @milk for reporting and providing detailed information. Sorry about this, it’s our server in IST not able to connect to the domain’s nameserver, managed by edgecastcdn unfortunately. We’ll try to contact them.

We applied a temporary workaround to make the set of domains resolvable for now.

Thanks for the info. On dig commands I can
now see normal results. Rarely IST server gives me CNAME “twimg.twitter.map.fastly.net” but never a servfail. That is a great start. I hope this issue will be completely fixed on Istanbul server.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.