1.1.1.1 unreachable on Maxis (AS9534), Kuala Lumpur Malaysia

In short, 1.1.1.1 appears to be unreachable when attempting to connect from AS9534 - Maxis 's network.

Services (HTTPS, TCP443; DNS UDP53; DoT TCP853) on IP 1.1.1.1 were unreachable close to two weeks; since the week of October 10th, 2019 (or even longer ;and still remains unreachable at this time in writing). However these services on the backup 1.0.0.1 are fine and reachable.

The issue seemed to be only on their (maxis) network, as testing with other local ISPs, showed 1.1.1.1 and 1.0.0.1 is accessible (at least locally).

A bit of background (feel free to skip if you feel it is too long):
First level support on [Maxis’s] helpline proved unhelpful, and did not understand the problem and attemps to escalate to their network team failed as the later failed respond in a timely manner; problem was escalated through a public report/complaint to the relevant local goverment agency (MCMC); Maxis has been notified by MCMC of the report but have yet to provide any update acknowledging the problem. Hence, the post in here. Not sure if there is anything cloudflare could do from their end about this.

$ dig www.google.com @1.1.1.1

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> www.google.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig www.google.com @1.0.0.1

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> www.google.com @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29830
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 23 IN A 172.217.24.164

;; Query time: 5 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Sun Oct 20 10:57:01 +08 2019
;; MSG SIZE rcvd: 59

$ dig www.google.com @8.8.8.8

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> www.google.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26453
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 193 IN A 172.217.166.132

;; Query time: 5 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Oct 20 10:57:49 +08 2019
;; MSG SIZE rcvd: 59

$ dig +short CHAOS TXT id.server @1.1.1.1
;; connection timed out; no servers could be reached

$ dig +short CHAOS TXT id.server @1.0.0.1
“KUL”

$ dig @ns3.Cloudflare.com whoami.Cloudflare.com txt +short
“121.122.107.11”

Trace routes:

$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 10.17.0.1 (10.17.0.1) 0.542 ms 0.718 ms 0.596 ms
2 121.122.107.1 (121.122.107.1) 25.030 ms 25.016 ms 24.979 ms
3 * * *
4 58.71.243.49 (58.71.243.49) 4.513 ms 3.958 ms 4.036 ms
5 58.71.244.246 (58.71.244.246) 4.082 ms * 3.768 ms
6 58.71.241.105 (58.71.241.105) 3.957 ms 5.326 ms 5.045 ms
7 * * *
8 172.22.134.5 (172.22.134.5) 10.642 ms 10.766 ms 10.555 ms
9 * * *
10 172.22.136.42 (172.22.136.42) 11.379 ms 11.556 ms 11.611 ms
11 172.25.208.2 (172.25.208.2) 10.298 ms 9.823 ms 9.813 ms
12 172.25.208.18 (172.25.208.18) 9.822 ms 10.322 ms 9.712 ms
13 * * *
14 * * *
15 * * *
16 * * *
17 * one.one.one.one (1.1.1.1) 10.699 ms 10.686 ms`

$ traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 60 byte packets
1 10.17.0.1 (10.17.0.1) 0.775 ms 0.486 ms 0.578 ms
2 121.122.107.1 (121.122.107.1) 2.508 ms 2.846 ms 2.856 ms
3 * * *
4 58.71.243.49 (58.71.243.49) 4.542 ms 4.309 ms 12.508 ms
5 58.71.244.246 (58.71.244.246) 4.311 ms * *
6 58.71.241.105 (58.71.241.105) 4.316 ms 4.588 ms 4.535 ms
7 * * *
8 * * *
9 172.22.144.134 (172.22.144.134) 5.210 ms 4.916 ms 3.881 ms
10 cloudflare.myix.my (218.100.44.185) 5.740 ms 5.639 ms 6.007 ms
11 one.one.one.one (1.0.0.1) 5.412 ms 4.893 ms 5.750 ms

$ dig +tcp @1.1.1.1 id.server CH TXT
;; Connection to 1.1.1.1#53(1.1.1.1) for id.server failed: timed out.
;; Connection to 1.1.1.1#53(1.1.1.1) for id.server failed: timed out.

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> +tcp @1.1.1.1 id.server CH TXT
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
;; Connection to 1.1.1.1#53(1.1.1.1) for id.server failed: timed out.

$ dig +tcp @1.0.0.1 id.server CH TXT

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> +tcp @1.0.0.1 id.server CH TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12955
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;id.server. CH TXT

;; ANSWER SECTION:
id.server. 0 CH TXT “KUL”

;; Query time: 5 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Sun Oct 20 11:33:31 +08 2019
;; MSG SIZE rcvd: 54

More connection info below:

https://cloudflare-dns.com/help/#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJZZXMiLCJpc0RvaCI6Ik5vIiwicmVzb2x2ZXJJcC0xLjEuMS4xIjoiTm8iLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJLVUwiLCJpc3BOYW1lIjoiQ2xvdWRmbGFyZSIsImlzcEFzbiI6IjEzMzM1In0=

Honestly, I dont think Cloudflare will intervene here I am afraid.

There are plenty of ISPs out there who block or hijack these addresses for whatever reason, sometimes deliberately, sometimes not.

You can certainly try and contact them at their [email protected] email address, but I somewhat doubt they will do much about it. I can understand that Cloudflare cant chase down each of them individually and try to get them to reconsider their routing policies.

Your best path might still be pressing the ISP, respectively continuing going via the local regulator.