Cloudflare DNS response is not authoritative

guohouzuo · November 14, 2023, 10:50am

Hey folks.

Does anyone happen to know why cloudflare DNS aren’t setting the authoritative flag for its responses? Here’s one example:

dig +norec -t A hz.gl @karina.ns.cloudflare.com

; <<>> DiG 9.10.6 <<>> +norec -t A hz.gl @karina.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4474
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;hz.gl.                         IN      A

;; ANSWER SECTION:
hz.gl.                  300     IN      A       172.67.218.35
hz.gl.                  300     IN      A       104.21.24.92

;; Query time: 55 msec
;; SERVER: 2606:4700:50::adf5:3ab2#53(2606:4700:50::adf5:3ab2)
;; WHEN: Tue Nov 14 10:48:20 GMT 2023
;; MSG SIZE  rcvd: 66

In contrast, AWS Route53 sets the authoritative flag:

⋊> ~ dig +norec -t A howard.gg @ns-932.awsdns-52.net

; <<>> DiG 9.10.6 <<>> +norec -t A howard.gg @ns-932.awsdns-52.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49749
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;howard.gg.                     IN      A

;; ANSWER SECTION:
howard.gg.              300     IN      A       193.123.60.208
howard.gg.              300     IN      A       141.148.246.116
howard.gg.              300     IN      A       158.178.146.144
howard.gg.              300     IN      A       144.21.43.178

;; AUTHORITY SECTION:
howard.gg.              172800  IN      NS      ns-1184.awsdns-20.org.
howard.gg.              172800  IN      NS      ns-1787.awsdns-31.co.uk.
howard.gg.              172800  IN      NS      ns-258.awsdns-32.com.
howard.gg.              172800  IN      NS      ns-932.awsdns-52.net.

;; Query time: 41 msec
;; SERVER: 2600:9000:5303:a400::1#53(2600:9000:5303:a400::1)
;; WHEN: Tue Nov 14 10:48:24 GMT 2023
;; MSG SIZE  rcvd: 242

Thanks!

Laudian · November 14, 2023, 2:03pm

I’m not sure I understand your question - both queries clearly show the aa flag to indicate authoritative answer.

guohouzuo · November 14, 2023, 3:51pm

Thanks Laudian, you’re right, I had overlooked the response flag “aa”.

salman_sks · November 14, 2023, 5:27pm

Cloudflare intentionally doesn’t set the authoritative flag in DNS responses because it serves as both a caching resolver and an authoritative nameserver. This design optimizes for speed and efficiency. In contrast, AWS Route53, which primarily acts as an authoritative nameserver, sets the authoritative flag in its responses. Different approaches for different DNS service roles,

epic.network · November 14, 2023, 6:44pm

Nonsense. You can clearly see that Cloudflare indeed does set the authoritative flag in the output shared in the original post.

system · November 17, 2023, 6:45pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.