Cloudfare DNS blocked with ACT ISP in India


#1

ACT is one of the leading ISP’s in India with Gigabit Internet - (https://en.wikipedia.org/wiki/Atria_Convergence_Technologies)

Unfortunately 1.1.1.1 seems to be blocked, I’m using 8.8.8.8 with no issues.

; <<>> DiG 9.11.2-P1 <<>> example.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached



; <<>> DiG 9.11.2-P1 <<>> example.com @1.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached


;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27478
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		9890	IN	A	93.184.216.34

;; Query time: 52 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Apr 27 04:43:59 IST 2018
;; MSG SIZE  rcvd: 56


dig +short CHAOS TXT id.server @1.1.1.1
;; connection timed out; no servers could be reached


dig +short CHAOS TXT id.server @1.0.0.1
;; connection timed out; no servers could be reached

#2

What does a traceroute look like?


#3

Hi,

Cloudflare

traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.3.1)  0.452 ms  0.469 ms  0.469 ms
 2  broadband.actcorp.in (SERVER_IN_MY_CITY)  1.691 ms  1.706 ms  1.705 ms
 3  broadband.actcorp.in (106.51.156.77)  2.831 ms  3.228 ms  3.439 ms
 4  broadband.actcorp.in (106.51.156.65)  2.475 ms  2.780 ms  3.675 ms
 5  14.142.235.101.static-chennai.vsnl.net.in (14.142.235.101)  1.654 ms  1.807 ms  1.819 ms
 6  172.31.29.245 (172.31.29.245)  29.828 ms  28.652 ms *
 7  172.23.78.234 (172.23.78.234)  25.752 ms  25.757 ms  25.751 ms
 8  * * *
 9  115.114.85.237 (115.114.85.237)  34.410 ms  34.397 ms  34.335 ms
10  if-ina-2.tcore2.SVW-Singapore.as6453.net (180.87.12.226)  70.826 ms  71.071 ms  70.745 ms
11  if-ae-11-2.thar1.SVQ-Singapore.as6453.net (180.87.98.37)  78.113 ms  78.510 ms  77.678 ms
12  120.29.214.90 (120.29.214.90)  67.034 ms  67.041 ms  66.689 ms
13  1dot1dot1dot1.cloudflare-dns.com (1.1.1.1)  66.632 ms  67.055 ms  67.064 ms

Google,

traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  _gateway (192.168.3.1)  0.351 ms  0.353 ms  0.345 ms
 2  broadband.actcorp.in (SERVER_IN_MY_CITY)  1.482 ms  1.486 ms  1.478 ms
 3  broadband.actcorp.in (106.51.156.77)  3.884 ms  4.302 ms  4.518 ms
 4  broadband.actcorp.in (106.51.156.65)  2.584 ms  2.927 ms  3.224 ms
 5  broadband.actcorp.in (106.51.113.74)  19.552 ms  19.922 ms  20.131 ms
 6  72.14.194.18 (72.14.194.18)  18.936 ms  17.996 ms  18.379 ms
 7  74.125.242.147 (74.125.242.147)  19.088 ms 108.170.253.106 (108.170.253.106)  19.150 ms 74.125.242.147 (74.125.242.147)  19.066 ms
 8  216.239.63.213 (216.239.63.213)  51.788 ms 216.239.63.211 (216.239.63.211)  51.498 ms 216.239.63.213 (216.239.63.213)  52.114 ms
 9  216.239.40.227 (216.239.40.227)  50.286 ms 216.239.48.47 (216.239.48.47)  51.745 ms 209.85.255.80 (209.85.255.80)  51.679 ms
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  google-public-dns-a.google.com (8.8.8.8)  50.469 ms  51.334 ms  51.343 ms

#4

This seems strange, you are able to reach the servers, would you mind trying to do the TCP steps in here?

EDIT: do also the last curl command.


#5

Hi @matteo

Yes, it’s interesting. Here are the TCP results,

dig +tcp @1.1.1.1 id.server CH TXT
;; Connection to 1.1.1.1#53(1.1.1.1) for id.server failed: timed out.
;; Connection to 1.1.1.1#53(1.1.1.1) for id.server failed: timed out.

; <<>> DiG 9.11.2-P1 <<>> +tcp @1.1.1.1 id.server CH TXT
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
;; Connection to 1.1.1.1#53(1.1.1.1) for id.server failed: timed out.


dig +tcp @1.0.0.1 id.server CH TXT
;; Connection to 1.0.0.1#53(1.0.0.1) for id.server failed: timed out.
;; Connection to 1.0.0.1#53(1.0.0.1) for id.server failed: host unreachable.

#6

And if you try opening the page on the browser? It may be blocked only port 53…


#7

@matteo

It’s not the case, the reason I got suspicious on the first place about my ISP blocking your DNS is because I wasn’t able to open web pages after changing DNS. I tried multiple times and other troubleshooting before posting it here.

I saw another post for this DNS to be blocked by another major ISP in India - https://community.cloudflare.com/t/cloudflare-dns-not-working-in-india-isp-airtel-may-have-blocked-it/16419

Perhaps cloudflare DNS is blacklisted country wide?


#8

I don’t believe so, but that is something Cloudflare would have to check out… Do Google’s work?


#9

Yes, Google works fine & I’ve been using it for several years across several ISP’s. I would suggest Cloudflare to check with http://www.dot.gov.in/.


#10

It wouldn’t make much sense to allow Google’s and not Cloudflare’s. That would probably be a simple misconfigured network.


#11

Hi
Is 1.1.1.1 working with your ISP now ? Also if possible please tell me is your ISP blocking only 1.1.1.1 or all third-party DNS like Google,OpenDNS,CleanBrowsing etc


#12

Hi @raghavdua

No, it doesn’t work on ACT yet. As I posted earlier, it doesn’t have issues with other DNS.

I think this will be the case till Cloudfare gets in touch with Indian ISP’s. But though @matteo did spend his time to resolve this, I think getting it working across Indian ISP’s isn’t on priority list for Cloudflare; also Google DNS does seem faster at-least as of now.