Cloudflare DNS response is not authoritative

Hey folks.

Does anyone happen to know why cloudflare DNS aren’t setting the authoritative flag for its responses? Here’s one example:

dig +norec -t A hz.gl @karina.ns.cloudflare.com

; <<>> DiG 9.10.6 <<>> +norec -t A hz.gl @karina.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4474
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;hz.gl.                         IN      A

;; ANSWER SECTION:
hz.gl.                  300     IN      A       172.67.218.35
hz.gl.                  300     IN      A       104.21.24.92

;; Query time: 55 msec
;; SERVER: 2606:4700:50::adf5:3ab2#53(2606:4700:50::adf5:3ab2)
;; WHEN: Tue Nov 14 10:48:20 GMT 2023
;; MSG SIZE  rcvd: 66

In contrast, AWS Route53 sets the authoritative flag:

⋊> ~ dig +norec -t A howard.gg @ns-932.awsdns-52.net

; <<>> DiG 9.10.6 <<>> +norec -t A howard.gg @ns-932.awsdns-52.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49749
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;howard.gg.                     IN      A

;; ANSWER SECTION:
howard.gg.              300     IN      A       193.123.60.208
howard.gg.              300     IN      A       141.148.246.116
howard.gg.              300     IN      A       158.178.146.144
howard.gg.              300     IN      A       144.21.43.178

;; AUTHORITY SECTION:
howard.gg.              172800  IN      NS      ns-1184.awsdns-20.org.
howard.gg.              172800  IN      NS      ns-1787.awsdns-31.co.uk.
howard.gg.              172800  IN      NS      ns-258.awsdns-32.com.
howard.gg.              172800  IN      NS      ns-932.awsdns-52.net.

;; Query time: 41 msec
;; SERVER: 2600:9000:5303:a400::1#53(2600:9000:5303:a400::1)
;; WHEN: Tue Nov 14 10:48:24 GMT 2023
;; MSG SIZE  rcvd: 242

Thanks!

I’m not sure I understand your question - both queries clearly show the aa flag to indicate authoritative answer.

3 Likes

Thanks Laudian, you’re right, I had overlooked the response flag “aa”.

2 Likes

Cloudflare intentionally doesn’t set the authoritative flag in DNS responses because it serves as both a caching resolver and an authoritative nameserver. This design optimizes for speed and efficiency. In contrast, AWS Route53, which primarily acts as an authoritative nameserver, sets the authoritative flag in its responses. Different approaches for different DNS service roles,

Nonsense. You can clearly see that Cloudflare indeed does set the authoritative flag in the output shared in the original post.

3 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.