Cloudflare DNS missing popular site: blocklisted?

What is the name of the domain?

kumbh.gov.in

What is the error number?

N/A

What is the error message?

Browser dependent: either “DNS address could not be found” or (if forced HTTPS) “a HTTPS version of kumbh.gov.in is not available”

What is the issue you’re encountering

No DNS lookup possible and/or no HTTPS certificate returned for this domain when using DNS over TLS (IPv4 to 1.1.1.1 & 1.0.0.1)

What steps have you taken to resolve the issue?

Gathering information only so far. I’m not an expert on either Cloudflare or DNS over TLS, but can confirm my configuration has been working for months and this is the first worldwide common web site that it’s failed on.

Many (local and global) users of this web site confirm it’s accessible, at least in vanilla configurations… there would be an Indian government debacle if it weren’t. So the failure either comes from Cloudflare somehow blocking this domain (by either withholding its DNS record or its HTTPS certificate) or the web site somehow being configured to prevent access unless non-proxied DNS & HTTPS are being used.

What are the steps to reproduce the issue?

On Google DNS:

$ kdig @8.8.8.8 +tls-ca kumbh.gov.in A
;; TLS session (TLS1.3)-(ECDHE-X25519)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11247
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 512 B; ext-rcode: NOERROR
;; PADDING: 407 B

;; QUESTION SECTION:
;; kumbh.gov.in.               IN    A

;; ANSWER SECTION:
kumbh.gov.in.           36    IN    A    164.100.181.175

;; Received 468 B
;; Time 2024-11-05 15:57:19 IST
;; From 8.8.8.8@853(TLS) in 135.2 ms

On Cloudflare (on our system on which all browser access is failing):

$ kdig @1.1.1.1 +tls-ca kumbh.gov.in A
;; TLS session (TLS1.3)-(ECDHE-X25519)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 55728
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1232 B; ext-rcode: NOERROR
;; EDE: 23 (Network Error): '164.100.181.101:53 timed out for kumbh.gov.in DNSKEY'
;; PADDING: 349 B

;; QUESTION SECTION:
;; kumbh.gov.in.               IN    A

;; ANSWER SECTION:
kumbh.gov.in.           60    IN    A    164.100.181.175

;; Received 468 B
;; Time 2024-11-05 15:57:06 IST
;; From 1.1.1.1@853(TLS) in 2779.6 ms

The latter error for the query through Cloudflare:

;; EDE: 23 (Network Error): '164.100.181.101:53 timed out for kumbh.gov.in DNSKEY'

is what concerns me the most because it most resembles the error message appearing when forcing HTTPS and trying to press through the “Secure Site Not Available” message that appears in Firefox-based browsers… and since kdig shows no such “timed out” message when using Google DNS.

If anyone suspects this is a local configuration problem, or even a configuration problem on the target web site, I would still appreciate some insight about why we can’t access the site even if Cloudflare is doing nothing to block the domain.

p.s. this may be a problem, at least in part, of the earlier problem reported here:

The IP addresses returned by both Google and Cloudflare are identical. The error in the response is in trying to retrieve the DNS key value from the origin server.

You can’t access the website because nothing is listening on port 443 on the IP address specified.

thanks @CCCCC but please help me understand this:

The server at this IP address is definitely listening on port 443:

$ telnet 164.100.181.175 443
Trying 164.100.181.175...
Connected to 164.100.181.175.
Escape character is '^]'.

Through DNS over TLS, there is no IP address returned through the DNS resolver by Cloudflare:

$ dig kumbh.gov.in
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out
;; communications error to 127.0.0.53#53: timed out

; <<>> DiG 9.18.28-0ubuntu0.24.04.1-Ubuntu <<>> kumbh.gov.in
;; global options: +cmd
;; no servers could be reached

So apparently this :arrow_up: is what it’s timing out on… not accessing port 443, but (according to the kdig to 1.1.1.1 above) accessing port 53. Why is it going through that additional step, and why is Cloudflare DNS over TLS timing out because of it?

There is something about this site’s configuration that prevents access through Cloudflare DNS over TLS, and we are trying to phrase the problem precisely so we can report it… and, if possible, to find a workaround for our users other than disabling DNS over TLS through Cloudflare entirely.

p.s. @cscharff my apologies for the reference @CCCCC above: I used this as an abbreviation when writing & now am not allowed to edit my post.

Some last notes, unless someone else answers:

We have the same problem:
when substituting Quad9’s servers for Cloudflare’s
when disabling DNSSEC in our DNS over TLS settings

Interestingly we cannot access this site through a VPN either & have to assume for now this very widely used Indian Government administered site kumbh.gov.in has somehow been configured not to respond to HTTP or HTTPS unless through a natural broadband connection.

I hope someone on this forum have some idea how this has been done or can at least suggest some possibilities. I would think the possibility of a web server / domain configuration that is “resistant” to Cloudflare DNS would be of interest to the forum population here.

p.s. the above list was corrupted from what I entered, with previewing impossible because this forum obscures the Discourse preview window with a “new user” nag. I’ll try it again here (this list should have 3 items on it: DNSSEC, IPv6, Quad9):

Some last notes, unless someone else answers: we have the same problem

  • when disabling DNSSEC in our DNS over TLS settings
  • whether or not Cloudflare IPv6 DNS servers are in our configuration (vs. IPv4 alone)
  • when substituting Quad9’s servers for Cloudflare’s

What is your actual connection to the kumbh.gov.in domain name?

According to the Indian domain registry, the domain “kumbh.gov.in” has currently been delegated to the two name servers, “ns1.kumbh.gov.in” and “ns2.kumbh.gov.in”.

As the name servers are below it’s own domain, it is necessary to add some GLUE records to the domain registry.

By following the chain in the DNS system, - we’re quite much failing after the “*.registry.in” name servers:

$ dig +trace NS kumbh.gov.in
[...]
in.                     172800  IN      NS      ns1.registry.in.
in.                     172800  IN      NS      ns2.registry.in.
in.                     172800  IN      NS      ns3.registry.in.
in.                     172800  IN      NS      ns4.registry.in.
in.                     172800  IN      NS      ns5.registry.in.
in.                     172800  IN      NS      ns6.registry.in.

;; Received 757 bytes from 170.247.170.2#53(b.root-servers.net) in 52 ms

kumbh.gov.in.           3600    IN      NS      ns2.kumbh.gov.in.
kumbh.gov.in.           3600    IN      NS      ns1.kumbh.gov.in.

couldn't get address for 'ns2.kumbh.gov.in': failure
couldn't get address for 'ns1.kumbh.gov.in': failure
dig: couldn't get address for 'ns2.kumbh.gov.in': no more

That makes me wonder, …

What does the *.registry.in name servers have to say?

$ dig +noall +auth +additional NS kumbh.gov.in @ns1.registry.in.
kumbh.gov.in.           3600    IN      NS      ns1.kumbh.gov.in.
kumbh.gov.in.           3600    IN      NS      ns2.kumbh.gov.in.
ns2.kumbh.gov.in.       3600    IN      A       125.20.33.68
ns1.kumbh.gov.in.       3600    IN      A       164.100.181.101

The name servers should be found at the two IPv4 addresses, 125.20.33.68 and 164.100.181.101.

So what does the servers at these two IPv4 addresses have to say, about this domain?

$ dig NS kumbh.gov.in @125.20.33.68

; <<>> DiG 9.16.48-Debian <<>> NS kumbh.gov.in @125.20.33.68
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig +tcp NS kumbh.gov.in @125.20.33.68
;; Connection to 125.20.33.68#53(125.20.33.68) for kumbh.gov.in failed: timed out.
;; Connection to 125.20.33.68#53(125.20.33.68) for kumbh.gov.in failed: timed out.

; <<>> DiG 9.16.48-Debian <<>> +tcp NS kumbh.gov.in @125.20.33.68
;; global options: +cmd
;; connection timed out; no servers could be reached

;; Connection to 125.20.33.68#53(125.20.33.68) for kumbh.gov.in failed: timed out.
$ dig NS kumbh.gov.in @164.100.181.101

; <<>> DiG 9.16.48-Debian <<>> NS kumbh.gov.in @164.100.181.101
;; global options: +cmd
;; connection timed out; no servers could be reached
$ dig +tcp NS kumbh.gov.in @164.100.181.101
;; Connection to 164.100.181.101#53(164.100.181.101) for kumbh.gov.in failed: host unreachable.

No matter where in the world I’m trying from, … Europe, North America, Asia, …

Even from test locations within India, I’m seeing the exact same timeouts, indicating that the networks these tests are coming from, are not able to get any response at all, from any of the two authoritative name servers for the domain.

The failure comes from the operator of the kumbh.gov.in domain name, and their failure to provide proper authoritative DNS for the domain name.

  1. If the name servers are no longer 125.20.33.68 and 164.100.181.101, then the GLUE records should be updated with the Indian domain registry.

  2. If the name servers are still 125.20.33.68 and 164.100.181.101, then you (e.g. the operator of kumbh.gov.in) need to check the firewalls for these servers, to make sure that they allow port 53 UDP AND port 53 TCP for everyone, with no hesitation.

With no hesitation” is referring to that there can’t be a firewall that is refusing to respond to certain DNS record types, or to specific countries.

Receiving an A record like here, but still seeing a such EDE / Network Error failure, with the timeout for certain other records, such as e.g. DNSKEY, …

… and same kind of timeout for other zone level records, such as SOA and NS.

:point_down:

There are too restrictive firewall(s) on the network(s), or machine(s), that are operating the authoritative DNS for the kumbh.gov.in domain name.

2 Likes

Only as a user who has noticed that either the site & domain were misconfigured or somehow Cloudflare was discriminating against it.

I’m happy to confirm that it’s the former & will do my best to report this comprehensive explanation to those who administer the web site, since there is excellent information here about the generality of the problem & exactly how to fix it.

In my experience Indian government agencies generally ignore problems like this & won’t communicate with users about them, and there are unpleasant but unavoidable reasons for that. But if there is a response I will report back here. :pray:

2 Likes

:+1:

Although not towards Indian government agencies, I’ve reported many things over time, which I would say needed attention, but exactly as you said, were just being ignored.

People’s own negligence (regardless of on purpose, or not) is unfortunately often the reason to many of the problems that the individual person and/or organisation experience. :frowning:

Unfortunately, I’m also afraid that the negligence will continue, unless everyone is implementing “hard error” on problems like this, rather than “continue with warning”, as seen in the situation above.

In other words, if e.g. all of Clouflare, Google, OpenDNS, Quad 9, … and so forth, were unable to resolve the DNS for the domain, there would be more incentive for the domain administrator, to actually fix the silly configuration(s) they have.

Feel free to do so! :pray:

1 Like

I would happily to do this, but the time limit of 2 days before closing this thread is unlikely to be enough to get a response even in the best circumstances of their prompt response and cooperation. Therefore I believe it would be helpful if the Discourse moderators would extend that time limit in this case.

p.s. I’ve unmarked the ✅ Solution as formerly checked above and this seems to have removed the 2-day time limit for response that was previously imposed.

If the administrators of kumbh.gov.in refer back here, please note that the solution to the site/domain problem is in this comment above.

1 Like

:+1: Glad to see you found a way!

(I may have failed there, by accidentally not submitting it, as I was actually looking at and considering to extend it, at least until the end of the year.)

1 Like

Since there is no email address or technical contact listed on the affected web site, I’ve only been able to contact India’s “National Informatics Centre” which is credited with all the I.T. architecture for the Ministry of Tourism:

where it offers a “service desk” with an email address ([email protected]), which in reply says to use this address instead ([email protected]) to “auto generate a ticket” — unfortunately no such ticket is generated, either “auto” or otherwise. Here is what I had submitted:

dear NIC Help / Service Desk:

Some network engineers (within India & without) have investigated the kumbh . gov . in web site being inaccessible on many systems, and have identified a problem which leaves it inaccessible from anyone coming through a “Secure DNS” configuration, including most VPN’s… which means many thousands of people, especially NRI’s in corporate workplaces, will be cut off from the web site.

We have isolated the problem and just need to report it to the I.T. administrators of kumbh . gov . in. Summary: the configuration of the firewall on this domain doesn’t allow the site’s DNS address to be verified, and so secure DNS configurations fail for this domain & the web site is not accessible.

Please let us know how, and to whom, we can report the problem. With another specialist from Cloudflare (the global DNS provider) the problem & solution have been fully documented here (remove spaces to form the link):

https : // community . cloudflare . com/t/cloudflare-dns-missing-popular-site-blocklisted/732950/7

I hope this request is honoured soon because many people around the world are currently making plans to visit the Kumbh in 2 months. Please respond to confirm receipt and feel free to forward this email (please copy us if so). I am standing by to help any representatives confirm & reproduce the problem.

sincerely, Robert Phair

I feel bad that the convention in Indian society is to silently rule that acknowledging this problem will make some manager look bad & therefore nobody will ever get to the first stage of accepting that “trouble” ticket. :sweat: But maybe some other enthusiast (for DNS or for this time-honoured festival) will succeed in getting attention for this somehow. :pray:

1 Like