Cloudflare DNS not accessing authoratative DNS server

mike.tillberg · August 12, 2024, 1:46pm

What is the name of the domain?

kyossystems.com

What is the error number?

EDE: 23

What is the error message?

EDE: 23 (Network Error): (72.65.106.158:53 timed out for www.kyossystems.com A)

What is the issue you’re encountering

Cloudflare’s DNS server is timing out access my primary authoritative server

What steps have you taken to resolve the issue?

Verified the setup on my end and made sure DNS queries are being handled properly

What feature, service or problem is this related to?

Nameservers

What are the steps to reproduce the issue?

I changed IP address recently, and since then Cloudflare DNS doesn’t not properly query my authoritative DNS server.

$ dig @1.1.1.1 www.kyossystems.com
…
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 18 (Prohibited)
; EDE: 23 (Network Error): (72.65.106.158:53 timed out for www.kyossystems.com A)

If I query using Google’s DNS server, I can verify is correctly accessing my DNS server via DNS logs and packet traces.

sdayman · August 12, 2024, 1:57pm

That looks to be an accurate assessment. That’s ns1.kyossystems.com, and it’s blocking some Port 53 requests.

https://intodns.com/kyossystems.com

mike.tillberg · August 12, 2024, 2:39pm

It’s not me though. I configured the firewall myself, and there’s nothing configured to block DNS packets. I even swapped the firewall out for an old one, packets still aren’t showing up at the actual DNS server. Running packet sniffing on the firewall shows that no packets are arriving to the FW from Cloudflare and some other sources. I talked with my ISP, they claim they don’t filter any packets at the network level. They said any packet filtering is with the on premise Wifi gateway they provide with the service, which I’m not using.

Is there any way to debug/verify ISP level packet filtering of UDP packets? I feel that’s the most likely scenario given source-dependent behavior.

Separately, I understand the timeout error, but I get an occasional EDE:18 Prohibited error. What could be causing that? If packets are being dropped, what would cause a “Prohibited” determination? Or is this simply Cloudflare internally trying to prevent queries to a seemingly broken DNS server?

sdayman · August 12, 2024, 4:49pm

This is a topic best asked on serverfault.com, as the issue is not with Cloudflare.

system · August 14, 2024, 4:50pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do I know what’s my domain nameserver? DNS & Network	3	3442	March 28, 2021
I have a Cloudflare Domain and using Cloudflare DNS but the IP address could not resolve DNS & Network	2	1842	October 20, 2021
DNS Lookup Error on some networks / in some countries DNS & Network	6	1217	February 4, 2023
Cloudflare nameserver issue DNS & Network	4	2312	January 5, 2022
DNS refusing queries DNS & Network	8	4874	March 6, 2021