1.1.1.1 DNS not resolving CNAME address

Does anyone have any idea why CloudFlare DNS (1.1.1.1) results in a SERVFAIL result and does not perform a secondary DNS lookup on CNAME cse.schwab.com but Google DNS (8.8.8.8) does? And how would I report/resolve the issue?

[email protected]:~ $ dig @1.1.1.1 cse.schwab.com
; <<>> DiG 9.10.3-P4-Raspbian <<>> @1.1.1.1 cse.schwab.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 48183
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;cse.schwab.com.                        IN      A

;; Query time: 2882 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Sep 03 00:07:45 UTC 2020
;; MSG SIZE  rcvd: 43

vs.

[email protected]:~ $ dig @8.8.8.8 cse.schwab.com
; <<>> DiG 9.10.3-P4-Raspbian <<>> @8.8.8.8 cse.schwab.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7688
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;cse.schwab.com.                        IN      A

;; ANSWER SECTION:
cse.schwab.com.         299     IN      CNAME   cse.gslb.schwab.com.
cse.gslb.schwab.com.    19      IN      A       162.93.230.104

;; Query time: 118 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 03 00:02:03 UTC 2020
;; MSG SIZE  rcvd: 82

Note: Quad9 9.9.9.9 behaves like CloudFlare 1.1.1.1 and results in a SERVFAIL so I suspect the domain’s DNS is somehow configured incorrectly, but I don’t know enough about DNS to know if this is correct or how to report this to them.

Thank you.

Hi. I’m with Quad9. We have been debugging this issue with Schwab (and initially, Akamai) for a few days. While it is not a certainty that this is the same issue, Schwab today notified us that they had blocked at least some of our netblocks from reaching Schwab nameservers due to what they determined were unexpected traffic volumes of queries. This is probably normal traffic, but larger recursive resolver arrays often push more traffic than normal enterprise or ISP resolvers and are therefore tagged as “abusive” when that is not the case. Since “gslb.schwab.com” has a single NS records with no redundancy, this meant that all queries from certain origins were failing.

It is our belief (but not validated) that this is resolved with Quad9 sites after discussion today with Schwab technical staff.

I suspect the same issue is at work here, and some CF sites are blocked due to volumetric issues. Perhaps these problems have cleared by now, or they may be persistent - I suspect it will be difficult to tell as it was POP-specific. I have informed Schwab DNS operators that this thread exists for reference.

JT

2 Likes

Thank you JT! Yes, it appears to be resolved now. cse.schwab.com now resolves on 9.9.9.9, 1.1.1.1, and 8.8.8.8. Thanks for your work on this and explanation!