Cloudflare ancast DNS service 1.1.1.1 intermittently doesn't show the IP address of resolver that was used to make a DNS resolution

dev.sai009 · November 24, 2018, 10:19am

Hi,

I had been doing some testing at my side to know the working of Cloudflare’s 1.1.1.1 anycast DNS resolver service.
I was trying to know the IP address that is used by the resolver to contact the authoritative DNS servers for a particular domain. To do those test, I tried using the domain resolver-identity.cloudfront.net. It tells the recursive resolver’s IP address. The command that I used was dig resolver-identity.cloudfront.net @1.1.1.1 and sometimes I used to get the IP of the resolver and sometimes not. Does Cloudflare’s recursive resolver 1.1.1.1 tries to block dns resolutons that returns its own IP address because I tried using Google’s 8.8.8.8 and I was getting the recursive resolver’s IP always.

dev.sai009 · November 24, 2018, 12:39pm

Adding more information related to my test results:

dig resolver-identity.cloudfront.net @1.1.1.1

; <<>> DiG 9.10.6 <<>> resolver-identity.cloudfront.net @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18693
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;resolver-identity.cloudfront.net. IN	A

;; AUTHORITY SECTION:
cloudfront.net.		60	IN	SOA	ns-418.awsdns-52.com. hostmaster.cloudfront.net. 1377556270 16384 2048 1048576 60

;; Query time: 443 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Nov 24 13:26:51 IST 2018
;; MSG SIZE  rcvd: 142


dig resolver-identity.cloudfront.net @1.1.1.1

; <<>> DiG 9.10.6 <<>> resolver-identity.cloudfront.net @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11034
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;resolver-identity.cloudfront.net. IN	A

;; ANSWER SECTION:
resolver-identity.cloudfront.net. 10 IN	A	162.158.163.81

;; Query time: 282 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Nov 24 13:28:09 IST 2018
;; MSG SIZE  rcvd: 77

mnordhoff · November 24, 2018, 6:41pm

cloudfront.net has both IPv4 and IPv6 nameservers. So if you ask an IPv6 server for resolver-identity.cloudfront.net A, it will return a negative response. And if you ask an IPv4 server for AAAA, it will also return a negative response.

When you’re using a dual-stack resolver, like 1.1.1.1, it will work intermittently.

You have to use a test that’s carefully configured with IPv4-only or IPv6-only nameservers, or that uses TXT records, such as those operated by Akamai or PowerDNS.

https://developer.akamai.com/blog/2018/05/10/introducing-new-whoami-tool-dns-resolver-information

https://powerdns.org/useful-names/

$ dig +short whoami.ds.akahelp.net txt @one.one.one.one
"ns" "2400:cb00:27:1024::a29e:b846"

$ dig +short whoami.v6.powerdns.org aaaa @one.one.one.one
2400:cb00:27:1024::a29e:b86a

system · June 18, 2021, 9:51pm