1.1.1.1 not resolving domains from community DNS

linux1 · October 4, 2023, 3:23pm

Good morning.

We’ve been having issues for a couple of weeks with DNS resolution for multiple domains registered on Community DNS using Cloudflare DNS.

We’ve reproduce the issue from Spain ISPs (not just one). Here are the requested details:

> ?  ~ dig wtfgw.net @1.1.1.1
> 
> ; <<>> DiG 9.10.6 <<>> wtfgw.net @1.1.1.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38714
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; OPT=15: 00 16 61 74 20 64 65 6c 65 67 61 74 69 6f 6e 20 77 74 66 67 77 2e 6e 65 74 2e ("..at delegation wtfgw.net.")
> ;; QUESTION SECTION:
> ;wtfgw.net.                     IN      A
> 
> ;; Query time: 4134 msec
> ;; SERVER: 1.1.1.1#53(1.1.1.1)
> ;; WHEN: Wed Oct 04 12:51:42 CEST 2023
> ;; MSG SIZE  rcvd: 68
> 
> 
> ?  ~ dig wtfgw.net @1.0.0.1
> 
> ; <<>> DiG 9.10.6 <<>> wtfgw.net @1.0.0.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 6490
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ; OPT=15: 00 16 61 74 20 64 65 6c 65 67 61 74 69 6f 6e 20 77 74 66 67 77 2e 6e 65 74 2e ("..at delegation wtfgw.net.")
> ;; QUESTION SECTION:
> ;wtfgw.net.                     IN      A
> 
> ;; Query time: 4120 msec
> ;; SERVER: 1.0.0.1#53(1.0.0.1)
> ;; WHEN: Wed Oct 04 12:51:51 CEST 2023
> ;; MSG SIZE  rcvd: 68
> 
> 
> ?  ~ dig wtfgw.net @8.8.8.8
> 
> ; <<>> DiG 9.10.6 <<>> wtfgw.net @8.8.8.8
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56780
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 512
> ;; QUESTION SECTION:
> ;wtfgw.net.                     IN      A
> 
> ;; AUTHORITY SECTION:
> wtfgw.net.              600     IN      SOA     anycast.bit2host.eu. dnsadmin.bit2host.eu. 2023100302 600 300 2592000 600
> 
> ;; Query time: 83 msec
> ;; SERVER: 8.8.8.8#53(8.8.8.8)
> ;; WHEN: Wed Oct 04 12:51:55 CEST 2023
> ;; MSG SIZE  rcvd: 102
> 
> 
> ?  ~ dig +short CHAOS TXT id.server @1.1.1.1 
> "MAD"
> 
> ?  ~ dig +short CHAOS TXT id.server @1.0.0.1
> "MAD"

From other locations, resolution is good:

> # dig +short CHAOS TXT id.server @1.1.1.1 
> "MEX"
> 
> # dig wtfgw.net @1.1.1.1
> 
> ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.14 <<>> wtfgw.net @1.1.1.1
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22226
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
> 
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 1232
> ;; QUESTION SECTION:
> ;wtfgw.net.                     IN      A
> 
> ;; AUTHORITY SECTION:
> wtfgw.net.              600     IN      SOA     anycast.bit2host.eu. dnsadmin.bit2host.eu. 2023100302 600 300 2592000 600
> 
> ;; Query time: 1025 msec
> ;; SERVER: 1.1.1.1#53(1.1.1.1)
> ;; WHEN: Wed Oct 04 11:21:22 EDT 2023
> ;; MSG SIZE  rcvd: 102

Thanks

linux1 · October 24, 2023, 6:06am

We still have this issue and CommunityDNS keeps telling us that the problem is not on their side.

Laudian · October 24, 2023, 9:29am

Maybe it’s something similar to this thread here:

It looks the same to me, in that the nameservers for wtfgw.net’s nameservers have a circular dependency on themselves (at least for some possible paths), with glue records only delivered for the nameserver in the same zone.

wtfgw.net.              172800  IN      NS      anycast.bit2host.co.uk.
wtfgw.net.              172800  IN      NS      anycast.bit2host.eu.
wtfgw.net.              172800  IN      NS      anycast2.bit2host.eu.
;; Received 130 bytes from 2001:503:eea3::30#53(g.gtld-servers.net) in 24 ms

bit2host.co.uk.         172800  IN      NS      ns0.bit2host.eu.
bit2host.co.uk.         172800  IN      NS      anycast.bit2host.co.uk.
bit2host.co.uk.         172800  IN      NS      anycast.bit2host.eu.
bit2host.co.uk.         172800  IN      NS      anycast.bit2host.net.
bit2host.co.uk.         172800  IN      NS      anycast.bit2host.org.
;; Received 200 bytes from 2401:fd80:400::1#53(dns2.nic.uk) in 28 ms

bit2host.net.           172800  IN      NS      anycast.bit2host.net.
bit2host.net.           172800  IN      NS      anycast.bit2host.org.
bit2host.net.           172800  IN      NS      anycast.bit2host.co.uk.
bit2host.net.           172800  IN      NS      ns0.bit2host.eu.
bit2host.net.           172800  IN      NS      anycast.bit2host.eu.
;; Received 200 bytes from 2001:503:231d::2:30#53(b.gtld-servers.net) in 0 ms

bit2host.org.           3600    IN      NS      anycast.bit2host.eu.
bit2host.org.           3600    IN      NS      anycast.bit2host.net.
bit2host.org.           3600    IN      NS      anycast.bit2host.org.
bit2host.org.           3600    IN      NS      ns0.bit2host.eu.
bit2host.org.           3600    IN      NS      anycast.bit2host.co.uk.
;; Received 200 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 28 ms

The .eu versions have different nameservers and are working:

;; AUTHORITY SECTION:
bit2host.eu.            86400   IN      NS      anycast.bit2host.eu.
bit2host.eu.            86400   IN      NS      ns0.bit2host.eu.

;; ADDITIONAL SECTION:
ns0.bit2host.eu.        86400   IN      A       74.116.176.33
anycast.bit2host.eu.    86400   IN      A       74.116.176.33

Results are probably the same as in the linked thread, it would randomly resolve/not resolve in some locations. And again, I’m not really sure if this is a problem with Cloudflare’s resolver or if this is some kind of illegal delegation.

linux1 · November 17, 2023, 8:11am

Thanks @Laudian for your feedback.
I’ve been checking this for a while now. I understand what you shared, but what I still don’t understand is why the problem is only from Spain while all over the world is working just fine. Ad this is not random, from Spain never work.
And there are a lot of other domains without glue-records that are working just fine.
I’ll try to test the glue-records (hopefully not impacting any zone) but at the same time I think the problem is bigger (even on the other thread it was not fixed).

Regards

anb · December 4, 2023, 7:59pm

Hi @linux1,

I think the issue is, the nameserver 74.116.176.33 doesn’t respond to our resolver’s query in MAD area, resulting the failures. I added a workaround, so the domain should be resolving now.