Can't use 1.1.1.1 from ISP's network (interbel.com)


#1

Summary - I can’t reach 1.1.1.1 on the web or use DNS from 1.1.1.1. 1.0.0.1 works for both. How do we get ISPs to care?

I can’t dig anything on 1.1.1.1, but 1.0.0.1 works.

dig google.com @1.1.1.1
;; WARNING: response timeout for [email protected](UDP)

dig google.com @1.0.0.1
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 38064
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; google.com. IN A
;; ANSWER SECTION:
google.com. 139 IN A 172.217.2.14
;; Received 44 B
;; Time 2018-12-21 15:00:57 MST
;; From [email protected](UDP) in 52.5 ms

This looks to me like my ISP has issues:
traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 192.168.0.1 (192.168.0.1) 0.482 ms 0.900 ms 0.884 ms
2 * * 1.229.217.162.interbel.net (162.217.229.1) 3.851 ms

Again, 1.0.0.1 looks normal
traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 60 byte packets
1 192.168.0.1 (192.168.0.1) 0.609 ms 0.954 ms 1.196 ms
2 1.229.217.162.interbel.net (162.217.229.1) 3.325 ms 3.318 ms 3.309 ms
3 209.206.186.161 (209.206.186.161) 5.125 ms 5.123 ms 5.115 ms
4 bb-klslmtxc-jx4-02-ae0.core.centurytel.net (206.51.69.150) 5.424 ms 5.418 ms 5.408 ms
5 bb-chcgilwu-jx9-02-ae2-0.core.centurylink.net (204.9.121.173) 45.200 ms 45.212 ms 45.197 ms
6 * * *
7 dvr-brdr-02.inet.qwest.net (67.14.24.14) 52.027 ms 49.650 ms 49.618 ms
8 63.146.26.154 (63.146.26.154) 49.608 ms 48.160 ms 48.136 ms
9 209.58.57.70 (209.58.57.70) 59.250 ms 58.452 ms 58.424 ms
10 one.one.one.one (1.0.0.1) 58.405 ms 51.677 ms 51.674 ms

dig +short CHAOS TXT id.server @1.1.1.1
;; WARNING: response timeout for [email protected](UDP)

dig +tcp @1.1.1.1 id.server CH TXT
;; WARNING: can’t connect to [email protected](TCP)
;; WARNING: failed to query server [email protected](TCP)

dig +tcp @1.0.0.1 id.server CH TXT
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 12473
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 0
;; QUESTION SECTION:
;; id.server. CH TXT
;; ANSWER SECTION:
id.server. 0 CH TXT “DEN”

This doesn’t look right, only 443? Again, 1.0.0.1 looks fine.
nmap 1.1.1.1
Starting Nmap 7.01 ( https://nmap.org ) at 2018-12-21 15:06 MST
Nmap scan report for one.one.one.one (1.1.1.1)
Host is up (0.0036s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
443/tcp open https

nmap 1.0.0.1
Starting Nmap 7.01 ( https://nmap.org ) at 2018-12-21 15:06 MST
Nmap scan report for one.one.one.one (1.0.0.1)
Host is up (0.052s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
443/tcp open https

openssl s_client -connect 1.1.1.1:853
139948611577600:error:0200206F:system library:connect:Connection refused:…/crypto/bio/b_sock2.c:110:
139948611577600:error:2008A067:BIO routines:BIO_connect:connect error:…/crypto/bio/b_sock2.c:111:
connect:errno=111

curl -v “https://1.1.1.1/dns-query?ct=application/dns-json&name=cloudflare.com

  • Trying 1.1.1.1…
  • Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
  • found 148 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 597 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • gnutls_handshake() failed: The TLS connection was non-properly terminated.
  • Closing connection 0
    curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

#2

:wave: @morksmail,

Hard question to answer. Best path is probably to log a ticket with your ISP and then ask them to escalate it to their networking team since it is a network issue. Regular help desk user won’t actually care most likely.

-OG