1.1.1.1 Fails to resolve for doileak.com test


#1

I am running tests for setting up a VPN, and one of those is the doileak.com website.
I run the extra “torrents” test, and the tracker URL fails to resolve with cloudflare.
Please note, that while I’m setting this up for a VPN, this DNS resolution fails regardless of whether I have the VPN active or not.

Here’s the requested dig results:

dragon ~ # dig trrntdns-7ml5d8muyqb34hwg.dnstest.doileak.com. @1.1.1.1

; <<>> DiG 9.11.2-P1 <<>> trrntdns-7ml5d8muyqb34hwg.dnstest.doileak.com. @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19584
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;trrntdns-7ml5d8muyqb34hwg.dnstest.doileak.com. IN A

;; Query time: 78 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Apr 17 10:49:01 PDT 2018
;; MSG SIZE  rcvd: 74

dragon ~ # dig trrntdns-7ml5d8muyqb34hwg.dnstest.doileak.com. @1.0.0.1

; <<>> DiG 9.11.2-P1 <<>> trrntdns-7ml5d8muyqb34hwg.dnstest.doileak.com. @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 12386
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;trrntdns-7ml5d8muyqb34hwg.dnstest.doileak.com. IN A

;; Query time: 79 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Tue Apr 17 10:49:07 PDT 2018
;; MSG SIZE  rcvd: 74

dragon ~ # dig trrntdns-7ml5d8muyqb34hwg.dnstest.doileak.com. @8.8.8.8

; <<>> DiG 9.11.2-P1 <<>> trrntdns-7ml5d8muyqb34hwg.dnstest.doileak.com. @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36359
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;trrntdns-7ml5d8muyqb34hwg.dnstest.doileak.com. IN A

;; ANSWER SECTION:
trrntdns-7ml5d8muyqb34hwg.dnstest.doileak.com. 29 IN A 162.243.70.171

;; Query time: 87 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Apr 17 10:49:10 PDT 2018
;; MSG SIZE  rcvd: 90

dragon ~ # dig +short CHAOS TXT id.server @1.1.1.1
"sjc01"
dragon ~ # dig +short CHAOS TXT id.server @1.0.0.1
"sjc01"

#2

Cloudflare’s resolver uses query minimization as part of the overall nameserver privacy strategy. In this instance it appears that the DNS servers for doileak.com are not RFC compliant and are returning nxdomain for a query of dnstest.doileak.com.

https://tools.ietf.org/html/rfc7816

A problem can also appear when a name server does not react properly
to ENTs (Empty Non-Terminals). If ent.example.com has no resource
records but foobar.ent.example.com does, then ent.example.com is an
ENT. Whatever the QTYPE, a query for ent.example.com must return
NODATA (NOERROR / ANSWER: 0). However, some name servers incorrectly
return NXDOMAIN for ENTs. If a resolver queries only
foobar.ent.example.com, everything will be OK, but if it implements
QNAME minimisation, it may query ent.example.com and get an NXDOMAIN.
See also Section 3 of [DNS-Res-Improve] for the other bad
consequences of this bad behaviour.

I can pass this along to our resolver team, but I’m not sure what the ‘right’ answer here is. The site being queried itself is one focused on privacy, so would reducing user privacy to bypass their server’s incorrect response be a good or a bad thing?


#3

The doileak.com test server is non-compliant and doesn’t ignore the letter case in the domain name:

$ dig @162.243.70.171 TRRntdnS-7ML5d8mUYqb34hwg.DNStEST.DoileAK.COm | grep status
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4531
$ dig @162.243.70.171 trrntdns-7ml5d8muyqb34hwg.dnstest.doileak.com | grep status
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47580

1.1.1.1 randomizes letter case to improve security, see https://dyn.com/blog/use-of-bit-0x20-in-dns-labels/ we’ll send an email to the operator and disable 0x20 for this zone to work around it.

EDIT: @gwindalmir the override is applied, it’s resolving now.