1.1.1.1 DNS does not resolve local school websites

Several of the schools local to me will not resolve with 1.1.1.1. They load perfectly with several other DNS service. e.g. https://www.halterworth.hants.sch.uk/ and https://www.awbridge.hants.sch.uk/ (but others local school websites do resolve, such as https://www.oakfield.hants.sch.uk/).

1.1.1.1 help information URL

https://one.one.one.one/help/#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJMSFIiLCJpc1dhcnAiOiJObyIsImlzcE5hbWUiOiJDbG91ZGZsYXJlIiwiaXNwQXNuIjoiMTMzMzUifQ==

Requested debug information


[:~]$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.0.1)  2.997 ms  2.949 ms  3.449 ms
 2  lo0-0.bng10.thn-lon.zen.net.uk (51.148.77.140)  7.973 ms  7.961 ms  7.953 ms
 3  51-148-244-26.dsl.zen.co.uk (51.148.244.26)  9.831 ms  9.037 ms  9.814 ms
 4  141.101.71.50 (141.101.71.50)  9.807 ms  10.308 ms  7.907 ms
 5  172.71.176.4 (172.71.176.4)  9.001 ms 172.71.240.4 (172.71.240.4)  9.778 ms 172.70.87.4 (172.70.87.4)  9.748 ms
 6  one.one.one.one (1.1.1.1)  9.729 ms  7.183 ms  6.163 ms
[:~]$ traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.0.1)  1.859 ms  1.807 ms  1.783 ms
 2  lo0-0.bng10.thn-lon.zen.net.uk (51.148.77.140)  6.386 ms  6.372 ms  6.364 ms
 3  51-148-244-24.dsl.zen.co.uk (51.148.244.24)  6.355 ms 51-148-244-26.dsl.zen.co.uk (51.148.244.26)  6.344 ms 51-148-244-24.dsl.zen.co.uk (51.148.244.24)  6.310 ms
 4  141.101.71.50 (141.101.71.50)  8.730 ms  8.716 ms  8.702 ms
 5  172.71.240.4 (172.71.240.4)  7.541 ms  7.528 ms 172.71.176.4 (172.71.176.4)  14.281 ms
 6  one.one.one.one (1.0.0.1)  8.657 ms  7.984 ms  7.943 ms
[:~]$ dig +short CHAOS TXT 35 id.server @1.1.1.1
"LHR"
[:~]$ dig +short CHAOS TXT 35 id.server @1.0.0.1
"LHR"
[:~]$ dig +tcp @1.1.1.1 id.server CH TXT 35

; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +tcp @1.1.1.1 id.server CH TXT 35
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45476
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;id.server.			CH	TXT

;; ANSWER SECTION:
id.server.		0	CH	TXT	"LHR"

;; Query time: 12 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (TCP)
;; WHEN: Tue Sep 12 12:51:43 BST 2023
;; MSG SIZE  rcvd: 54

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55809
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;35.				IN	A

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2023091200 1800 900 604800 86400

;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (TCP)
;; WHEN: Tue Sep 12 12:51:43 BST 2023
;; MSG SIZE  rcvd: 106

[:~]$ dig +tcp @1.0.0.1 id.server CH TXT 35

; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +tcp @1.0.0.1 id.server CH TXT 35
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45380
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;id.server.			CH	TXT

;; ANSWER SECTION:
id.server.		0	CH	TXT	"LHR"

;; Query time: 8 msec
;; SERVER: 1.0.0.1#53(1.0.0.1) (TCP)
;; WHEN: Tue Sep 12 12:51:56 BST 2023
;; MSG SIZE  rcvd: 54

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 48347
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;35.				IN	A

;; AUTHORITY SECTION:
.			86400	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2023091200 1800 900 604800 86400

;; Query time: 12 msec
;; SERVER: 1.0.0.1#53(1.0.0.1) (TCP)
;; WHEN: Tue Sep 12 12:51:56 BST 2023
;; MSG SIZE  rcvd: 106

[:~]$ openssl s_client -connect 1.1.1.1:853
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jan 12 00:00:00 2023 GMT; NotAfter: Jan 11 23:59:59 2024 GMT
 1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384
   v:NotBefore: Apr 14 00:00:00 2021 GMT; NotAfter: Apr 13 23:59:59 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF9TCCBXygAwIBAgIQA8JqRlvV7Wjej2b5dc4uXzAKBggqhkjOPQQDAzBWMQsw
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp
Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjMwMTEyMDAw
MDAwWhcNMjQwMTExMjM1OTU5WjByMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRm
bGFyZSwgSW5jLjEbMBkGA1UEAxMSY2xvdWRmbGFyZS1kbnMuY29tMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAE8WA8mNsEQxx1/IvfcBNZj/HOWGEFoHH5gLTJQ+mD
iQ3+ItaqCY7TT+R/picYF5ljVow7R7jn6iCxMFkVjXChG6OCBA4wggQKMB8GA1Ud
IwQYMBaAFAq8CCkXjKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBRkutjX+1Qhhwjz
soJm+Z5fS3AE8jCBpgYDVR0RBIGeMIGbghJjbG91ZGZsYXJlLWRucy5jb22CFCou
Y2xvdWRmbGFyZS1kbnMuY29tgg9vbmUub25lLm9uZS5vbmWHBAEAAAGHBAEBAQGH
BKKfJAGHBKKfLgGHECYGRwBHAAAAAAAAAAAAEAGHECYGRwBHAAAAAAAAAAAAERGH
ECYGRwBHAAAAAAAAAAAAAGSHECYGRwBHAAAAAAAAAAAAZAAwDgYDVR0PAQH/BAQD
AgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmwYDVR0fBIGTMIGQ
MEagRKBChkBodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNIeWJy
aWRFQ0NTSEEzODQyMDIwQ0ExLTEuY3JsMEagRKBChkBodHRwOi8vY3JsNC5kaWdp
Y2VydC5jb20vRGlnaUNlcnRUTFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0ExLTEuY3Js
MD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cu
ZGlnaWNlcnQuY29tL0NQUzCBhQYIKwYBBQUHAQEEeTB3MCQGCCsGAQUFBzABhhho
dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jYWNl
cnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIwMjBD
QTEtMS5jcnQwCQYDVR0TBAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUA
7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGFqCecuAAABAMARjBE
AiAdA/2qx7A3w0Jn7vVuS/qJjfHQURcg1UbQ4JG9wjDBXAIgYsXLQjjc4KaK6y+g
vU+HP4Ow41mj3tiDSp/6GrZCJzEAdwBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZ
u7+rOdiEcwAAAYWoJ5zeAAAEAwBIMEYCIQCbW0qSTa+OBqRPNVxEjsAlZ7O31yxx
hRQI5t1UjU97AgIhAJJGLQBjwKVLAul//qX6KKnN/aJDzUSe+i9AeNvCU61+AHUA
O1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGFqCec6QAABAMARjBE
AiBP/2dqsY1syhBOL5tOc6a6JDzAchfFlDSd6W8DKerZ3QIgZUQUM4nYFlyMBRxn
YfTXn63X/m5ViNBrV/z1GSPzJ5IwCgYIKoZIzj0EAwMDZwAwZAIwP/iWG6Wa0U8A
dDjvbUOxXdI6WgQXwVng/Wrs2G3P2CPXyDi8y4D523XfIYDdY3KQAjA0t0mL62JA
NgpCMd3y7oOrMz01u/FQVel18mXq+PAkEYB6S+9BJOxjGcKGIEXtMxg=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2890 bytes and written 377 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
[:~]$ openssl s_client -connect 1.0.0.1:853
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
   i:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: ecdsa-with-SHA384
   v:NotBefore: Jan 12 00:00:00 2023 GMT; NotAfter: Jan 11 23:59:59 2024 GMT
 1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA384
   v:NotBefore: Apr 14 00:00:00 2021 GMT; NotAfter: Apr 13 23:59:59 2031 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF9TCCBXygAwIBAgIQA8JqRlvV7Wjej2b5dc4uXzAKBggqhkjOPQQDAzBWMQsw
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMTAwLgYDVQQDEydEaWdp
Q2VydCBUTFMgSHlicmlkIEVDQyBTSEEzODQgMjAyMCBDQTEwHhcNMjMwMTEyMDAw
MDAwWhcNMjQwMTExMjM1OTU5WjByMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2Fs
aWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRm
bGFyZSwgSW5jLjEbMBkGA1UEAxMSY2xvdWRmbGFyZS1kbnMuY29tMFkwEwYHKoZI
zj0CAQYIKoZIzj0DAQcDQgAE8WA8mNsEQxx1/IvfcBNZj/HOWGEFoHH5gLTJQ+mD
iQ3+ItaqCY7TT+R/picYF5ljVow7R7jn6iCxMFkVjXChG6OCBA4wggQKMB8GA1Ud
IwQYMBaAFAq8CCkXjKU5bXoOzjPHLrPt+8N6MB0GA1UdDgQWBBRkutjX+1Qhhwjz
soJm+Z5fS3AE8jCBpgYDVR0RBIGeMIGbghJjbG91ZGZsYXJlLWRucy5jb22CFCou
Y2xvdWRmbGFyZS1kbnMuY29tgg9vbmUub25lLm9uZS5vbmWHBAEAAAGHBAEBAQGH
BKKfJAGHBKKfLgGHECYGRwBHAAAAAAAAAAAAEAGHECYGRwBHAAAAAAAAAAAAERGH
ECYGRwBHAAAAAAAAAAAAAGSHECYGRwBHAAAAAAAAAAAAZAAwDgYDVR0PAQH/BAQD
AgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjCBmwYDVR0fBIGTMIGQ
MEagRKBChkBodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vRGlnaUNlcnRUTFNIeWJy
aWRFQ0NTSEEzODQyMDIwQ0ExLTEuY3JsMEagRKBChkBodHRwOi8vY3JsNC5kaWdp
Y2VydC5jb20vRGlnaUNlcnRUTFNIeWJyaWRFQ0NTSEEzODQyMDIwQ0ExLTEuY3Js
MD4GA1UdIAQ3MDUwMwYGZ4EMAQICMCkwJwYIKwYBBQUHAgEWG2h0dHA6Ly93d3cu
ZGlnaWNlcnQuY29tL0NQUzCBhQYIKwYBBQUHAQEEeTB3MCQGCCsGAQUFBzABhhho
dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTwYIKwYBBQUHMAKGQ2h0dHA6Ly9jYWNl
cnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFRMU0h5YnJpZEVDQ1NIQTM4NDIwMjBD
QTEtMS5jcnQwCQYDVR0TBAIwADCCAX0GCisGAQQB1nkCBAIEggFtBIIBaQFnAHUA
7s3QZNXbGs7FXLedtM0TojKHRny87N7DUUhZRnEftZsAAAGFqCecuAAABAMARjBE
AiAdA/2qx7A3w0Jn7vVuS/qJjfHQURcg1UbQ4JG9wjDBXAIgYsXLQjjc4KaK6y+g
vU+HP4Ow41mj3tiDSp/6GrZCJzEAdwBIsONr2qZHNA/lagL6nTDrHFIBy1bdLIHZ
u7+rOdiEcwAAAYWoJ5zeAAAEAwBIMEYCIQCbW0qSTa+OBqRPNVxEjsAlZ7O31yxx
hRQI5t1UjU97AgIhAJJGLQBjwKVLAul//qX6KKnN/aJDzUSe+i9AeNvCU61+AHUA
O1N3dT4tuYBOizBbBv5AO2fYT8P0x70ADS1yb+H61BcAAAGFqCec6QAABAMARjBE
AiBP/2dqsY1syhBOL5tOc6a6JDzAchfFlDSd6W8DKerZ3QIgZUQUM4nYFlyMBRxn
YfTXn63X/m5ViNBrV/z1GSPzJ5IwCgYIKoZIzj0EAwMDZwAwZAIwP/iWG6Wa0U8A
dDjvbUOxXdI6WgQXwVng/Wrs2G3P2CPXyDi8y4D523XfIYDdY3KQAjA0t0mL62JA
NgpCMd3y7oOrMz01u/FQVel18mXq+PAkEYB6S+9BJOxjGcKGIEXtMxg=
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 2020 CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2889 bytes and written 377 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Their DNS is fubar. They list Cloudflare nameservers which are not configured to resolve the domain alongside other DNS servers in whois.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.