Cloudflare DNS response is not authoritative

guohouzuo · November 14, 2023, 10:50am

Hey folks.

Does anyone happen to know why cloudflare DNS aren’t setting the authoritative flag for its responses? Here’s one example:

dig +norec -t A hz.gl @karina.ns.cloudflare.com

; <<>> DiG 9.10.6 <<>> +norec -t A hz.gl @karina.ns.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4474
;; flags: qr aa; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;hz.gl.                         IN      A

;; ANSWER SECTION:
hz.gl.                  300     IN      A       172.67.218.35
hz.gl.                  300     IN      A       104.21.24.92

;; Query time: 55 msec
;; SERVER: 2606:4700:50::adf5:3ab2#53(2606:4700:50::adf5:3ab2)
;; WHEN: Tue Nov 14 10:48:20 GMT 2023
;; MSG SIZE  rcvd: 66

In contrast, AWS Route53 sets the authoritative flag:

⋊> ~ dig +norec -t A howard.gg @ns-932.awsdns-52.net

; <<>> DiG 9.10.6 <<>> +norec -t A howard.gg @ns-932.awsdns-52.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49749
;; flags: qr aa; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;howard.gg.                     IN      A

;; ANSWER SECTION:
howard.gg.              300     IN      A       193.123.60.208
howard.gg.              300     IN      A       141.148.246.116
howard.gg.              300     IN      A       158.178.146.144
howard.gg.              300     IN      A       144.21.43.178

;; AUTHORITY SECTION:
howard.gg.              172800  IN      NS      ns-1184.awsdns-20.org.
howard.gg.              172800  IN      NS      ns-1787.awsdns-31.co.uk.
howard.gg.              172800  IN      NS      ns-258.awsdns-32.com.
howard.gg.              172800  IN      NS      ns-932.awsdns-52.net.

;; Query time: 41 msec
;; SERVER: 2600:9000:5303:a400::1#53(2600:9000:5303:a400::1)
;; WHEN: Tue Nov 14 10:48:24 GMT 2023
;; MSG SIZE  rcvd: 242

Thanks!

Laudian · November 14, 2023, 2:03pm

I’m not sure I understand your question - both queries clearly show the aa flag to indicate authoritative answer.

guohouzuo · November 14, 2023, 3:51pm

Thanks Laudian, you’re right, I had overlooked the response flag “aa”.

salman_sks · November 14, 2023, 5:27pm

Cloudflare intentionally doesn’t set the authoritative flag in DNS responses because it serves as both a caching resolver and an authoritative nameserver. This design optimizes for speed and efficiency. In contrast, AWS Route53, which primarily acts as an authoritative nameserver, sets the authoritative flag in its responses. Different approaches for different DNS service roles,

epic.network · November 14, 2023, 6:44pm

Nonsense. You can clearly see that Cloudflare indeed does set the authoritative flag in the output shared in the original post.

system · November 17, 2023, 6:45pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cloudflare is answering with REFUSED to authoritative NS DNS & Network	2	3000	March 18, 2020
My authoritative NS is unresolvable through 1.1.1.1 1.1.1.1	10	1517	October 25, 2022
Newly setup domain not Authoritative after verification DNS & Network	2	527	November 7, 2023
What Is Authoritative DNS Server's IP address for Cloudflare? DNS & Network dns	2	3454	June 18, 2021
Question about Authority Section Getting Started dns	4	2147	February 16, 2019

Cloudflare DNS response is not authoritative

Related topics