1.1.1.1 Resolving distant "CloudFront" servers

ancmto · October 13, 2021, 5:01pm

Cloudflare DNS is resolving distant servers of CloudFront.

I am Luanda. Have a nearest server on Cape Town/South Africa, but with CF DNS are. resolving to London.

$ dig CHAOS TXT id.server @1.1.1.1

; <<>> DiG 9.10.6 <<>> CHAOS TXT id.server @1.1.1.1

;; global options: +cmd
;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49440
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;id.server. CH TXT

;; ANSWER SECTION:
id.server. 0 CH TXT “LAD”

;; Query time: 122 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Oct 13 17:55:54 WAT 2021
;; MSG SIZE rcvd: 43

RESOLVING WITH GOOGLE DNS | Ping: 52.85.23.116 (30 ms)
$ nslookup video-downloads.elements.envatousercontent.com 8.8.8.8

Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: video-downloads.elements.envatousercontent.com
Address: 52.85.23.116

Name: video-downloads…
Address: 52.85.23.88

Name: video-downloads…
Address: 52.85.23.99

Name: video-downloads…
Address: 52.85.23.82

RESOLVING WITH Cloudflare DNS | Ping: 99.86.116.40 (130 ms)
$ nslookup video-downloads.elements.envatousercontent.com 1.1.1.1

Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: video-downloads.elements.envatousercontent.com
Address: 99.86.116.40

Name: video-downloads…
Address: 99.86.116.85

Name: video-downloads…
Address: 99.86.116.39

Name: video-downloads…
Address: 99.86.116.17

sdayman · October 13, 2021, 5:04pm

1.1.1.1 doesn’t include eDNS, which would send your IP address to the upstream resolver. This is a privacy feature which, unfortunately, is not compatible for services that depend on knowing your IP address to resolve locally. That’s why Cloudflare uses Anycast for their sites, which doesn’t suffer from this problem.

ancmto · October 13, 2021, 5:09pm

Hmmmmm… ok

I’m using two local ISPs.

TV CABO ANGOLA | 41.63.165.45
ZAP ANGOLA | 129.122.137.197

Routes are the same when used 1.1.1.1

ancmto · October 13, 2021, 5:13pm

But wouldn’t Cloudflare be able to do this “by hand”, since it has the local DNS in Luanda, so that all hostnames resolved by 1.1.1.1 respond to a closer location, like South Africa, instead of London?

A while ago it was the same with Google and Youtube sites, whenever I used 1.1.1.1, the resolved IP was from Europe, but if I used 8.8.8.8, resolved to South Africa.

Currently, even using 1.1.1.1, any Google site is resolved to South Africa.

svanlund · October 13, 2021, 5:24pm

The Route 53 name servers used by Cloudfront won’t see your IP address as mentioned, but I would expect AWS to make a better decision based on the IP of the Cloudflare DNS resolver (which won’t be the anycasted 1.1.1.1 for outbound traffic, I assume).

sdayman · October 13, 2021, 5:25pm

And that’s kind of the rub. If your ISP routes you the long way, then the subsequent results will be dependent on that routing.

svanlund · October 13, 2021, 5:29pm

Absolutely, but the initial post indicated that the request was served very close to the user (“LAD”), right? What Cloudflare then does internally, I have no idea though

sdayman · October 13, 2021, 5:34pm

Good point. I missed that part.

ancmto · October 13, 2021, 8:07pm

The routes are correct, the domain that resolves to different IPs. Using 1.1.1.1 as DNS, the resolved IP is London, but if I use Google DNS, it resolves Server IP in South Africa.

svanlund · October 14, 2021, 6:55pm

I did some testing with an AWS EC2 instance, some DNS records, and tcpdump

Cloudflare DNS configuration:
delegated-ns.example.com A public IP of EC2 instance
delegated.example.com NS delegated-ns.example.com

EC2 instance:
$ tcpdump port 53

My local machine:
$ dig @1.1.1.1 delegated.example.com

So when I queried 1.1.1.1, it contacted my fake DNS server where tcpdump displayed the IP address of the requester.

Key results:

The DNS lookup request from my machine hit 1.1.1.1 in the closest location (verified by traceroute and dig checking “id.server”).
The request from 1.1.1.1 to my fake DNS server originated from an IP address in the 172.64.0.0 - 172.71.255.255 range.
The 172.x.x.x IP address and 1.1.1.1 were both in the closest location according to traceroute (sitting on the local Internet Exchange Point). I also used traceroute through https://lg.telia.net/ to ensure the 172 IP wasn’t anycasted.
The 172.x.x.x IP address is geolocated to the closest location when using the “GeoIP2 Precision Service” demo at https://www.maxmind.com/

In other words, I can’t see that Cloudflare is contributing to this problem. I believe it is up to CloudFront and AWS to make a better decision - they appear to have the data they need (local Cloudflare IP address that can be geolocated, and they probably have latency measurements as well).

(Sure, EDNS Client Subnet support is missing on the Cloudflare side, but AWS is getting the IP address of the resolver which should be good enough in this case.)

ancmto · October 14, 2021, 8:00pm

I understand your answer, but what intrigues me is when I change the DNS on my machine, I have different IPs being resolved. Most Public DNS are resolving the IP of the closest server (South Africa), only 1.1.1.1 is resolving to the IP in London.

This happens with other services that are on Cloudfront.

I’ve retested with a Trello domain, and I’m going to publish how IPs are being resolved in different Public DNS.

My IP: 129.122.222.168 (Angola / Africa)

Domain: a.trellocdn.com

$ dig a.trellocdn.com @8.8.8.8 (Google DNS)
a.trellocdn.com. 60 IN A 52.85.23.128 (South Africa)

$ dig a.trellocdn.com @9.9.9.9 (Quad9 DNS)
a.trellocdn.com. 60 IN A 52.85.214.84 (South Africa)

$dig a.trellocdn.com @208.67.222.222 (OpenDNS)
a.trellocdn.com. 60 IN A 52.85.23.19 (South Africa)

$ dig a.trellocdn.com @1.1.1.1 (Cloudflare DNS)
a.trellocdn.com. 57 IN A 99.86.19.109 (England)

I can’t say if Cloudflare would actually make this adjustment.

I know my speed changes considerably when I use these Amazon sites when resolved by Google, which routes to South Africa, and when resolved by Cloudflare and routes to England.

Thanks for the explanations. Maybe one day Amazon or Cloudflare will fix that.

milk · October 16, 2021, 4:06am

Google and OpenDNS both use ECS. You can check with:

dig +nocl TXT o-o.myaddr.l.google.com +short @8.8.8.8

If it returns a edns0-client-subnet, ECS is enabled. Quad9 does not support ECS but does seem to route you to a near location. Seems to be something going on with 1.1.1.1 then.

ancmto · October 16, 2021, 11:21am

Thank you for information.

In this case, how can resolve it? To point to correct server? Cloudfront?

system · October 19, 2021, 11:21am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.