1.1.1.1 doesn't resovle urzadskarbowy.gov.pl

Zero Trust 1.1.1.1
1

Hello,

1.1.1.1 DNS resolvers doesn’t resovle Polish IRS domain urzadskarbowy.gov.pl.
Bellow is my dig command outputs :

; <<>> DiG 9.10.6 <<>> urzadskarbowy.gov.pl @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16621
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 16 74 69 6d 65 20 6c 69 6d 69 74 20 65 78 63 65 65 64 65 64 ("..time limit exceeded")
;; QUESTION SECTION:
;urzadskarbowy.gov.pl.		IN	A

;; Query time: 4121 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Mar 12 00:21:47 CET 2023
;; MSG SIZE  rcvd: 74


; <<>> DiG 9.10.6 <<>> urzadskarbowy.gov.pl @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 49063
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 16 74 69 6d 65 20 6c 69 6d 69 74 20 65 78 63 65 65 64 65 64 ("..time limit exceeded")
;; QUESTION SECTION:
;urzadskarbowy.gov.pl.		IN	A

;; Query time: 1015 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Sun Mar 12 00:22:08 CET 2023
;; MSG SIZE  rcvd: 74


; <<>> DiG 9.10.6 <<>> urzadskarbowy.gov.pl @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62409
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;urzadskarbowy.gov.pl.		IN	A

;; ANSWER SECTION:
urzadskarbowy.gov.pl.	292	IN	A	145.237.204.138

;; Query time: 852 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Mar 12 00:22:21 CET 2023
;; MSG SIZE  rcvd: 65


**dig +short CHAOS TXT id.server @1.1.1.1**
"PRG"

**dig +short CHAOS TXT id.server @1.0.0.1**
"PRG"


**DOH query:**
cmd$ curl --http2 -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=urzadskarbowy.gov.pl"
{"Status":2,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"urzadskarbowy.gov.pl","type":1}],"Comment":["EDE(22): No Reachable Authority (time limit exceeded)"]}

Example query to urzadzskarbowy.gov.pl to my provider DNS servers:

; <<>> DiG 9.10.6 <<>> urzadskarbowy.gov.pl @192.168.33.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12780
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;urzadskarbowy.gov.pl.		IN	A

;; ANSWER SECTION:
urzadskarbowy.gov.pl.	258	IN	A	145.237.204.138

;; Query time: 96 msec
;; SERVER: 192.168.33.1#53(192.168.33.1)
;; WHEN: Sun Mar 12 00:27:42 CET 2023
;; MSG SIZE  rcvd: 54

/pch

2

Hi,

Thanks for the report. It seems to be the name server of urzadskarbowy.gov.pl (ns[1-4].mf.gov.pl) is blocking queries sent by 1.1.1.1 from our Prague data centers. We are contacting them to find out what is wrong. It works fine in other places.

Meanwhile, I’ve applied a workaround. Let me know if you still see the problem.

3

Hi,

Workaround is working fine I’ve response for domain urzadskarbowy.gov.pl . DOH query still returning “No Reachable Authority” but it is not so much problem for me.

; <<>> DiG 9.10.6 <<>> urzadskarbowy.gov.pl @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26235
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;urzadskarbowy.gov.pl.		IN	A

;; ANSWER SECTION:
urzadskarbowy.gov.pl.	300	IN	A	145.237.204.138

;; Query time: 157 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Mar 18 13:23:28 CET 2023
;; MSG SIZE  rcvd: 65

cmd$ curl --http2 -H "accept: application/dns-json" "https://1.1.1.1/dns-query?name=urzadskarbowy.gov.pl"
{"Status":2,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"urzadskarbowy.gov.pl","type":1}],"Comment":["EDE(22): No Reachable Authority (time limit exceeded)"]}

/pch

4

I’ve updated the workaround to include DoH as well, it should work too now.