Background: We run a page that provides some insight for our users into their network environment at Browser Privacy - Test IP address, DNS, VPN leaks. Fast & no ads. Protect your online privacy.
One of the tests we run is a DNS leak test, which informs users about which DNS resolvers are seeing their browsing data and also informs them about what features those DNS resolvers support (TLS, etc).
We’ve noticed that when using 1.1.1.1 these reports fail to load.
Reproduction: We’ve created a reliable reproduction, which can be seen using the following curl
commands:
curl -vvv -L --dns-servers 1.1.1.1 https://nstoro.com/api/v1/randomizer
When run using any other public resolver, 9.9.9.9 in this example, it works correctly.
curl -vvv -L --dns-servers 9.9.9.9 https://nstoro.com/api/v1/randomizer
Expected Result: The expected result is a HTTP 302 redirect followed by a JSON object with information about the IP address of the recursive resolver which made the request to our name server as well as information about our name server which answered the request. For example (I’ve elided some of the response data to keep the result smaller),
{
"status": "OK",
"type": "TENTA_NSNITCH",
"data": {
"ip": "74.63.25.247",
"ip_family": "v4",
"net_type": "udp",
"tls_enabled": false,
<snip>
},
"message": "",
"code": 200
}
This output is generated when the recursive resolver makes a request to our name server shortly before the HTTP request is made.
Actual Output: The actual output is a 404 error message like:
{
"status": "ERROR",
"type": "TENTA_NSNITCH",
"data": null,
"message": "Not Found",
"code": 404
}
This response is indicative of the recursive resolver not making a request to our name server shortly before the HTTP request is made. The described test works correctly with at least Google, Quad9, Tenta DNS, a range of OpenNIC servers and Level 3 as the resolver and only seems to fail with 1.1.1.1.
Note: Some linux systems compile curl without DNS support built in. On such a system, curl can be rebuilt with the --enable-ares
flag to enable this command line flag.
Discussion: We believe that Cloudflare is either inferring the IP address of sub-domains without actually looking them up, or else looking them up, but returning a different cached result from a previous lookup of a different sub-domain (pointing to a server with a different IP then the one we returned to the lookup). In either case this is non-standard behavior. Each call to the randomizer API produces a new, random sub-domain, and while collisions are not impossible, there is sufficient entropy that they should be vanishingly rare. As such, each request should produce at least one recursive resolution from a recursive resolver to our name server.
The full source code of our server is available at GitHub - tenta-browser/tenta-dns: Recursive and authoritative DNS server in go, including DNSSEC and DNS-over-TLS