Cloudflared fails where 1.1.1.1 works for DNS

I am having issues getting a domain to resolve using Cloudflared DNS over HTTPS, I can resolve most things just fine, but sometimes when the site has a short TTL, it seems to stop resolving while 1.1.1.1 and google DNS both continue to resolve the IP address.

I have attached screenshots.

Top is Cloudflared, bottom is 1.1.1.1.

Any idea what is going on here? Why does one return a record, but the other returns the SOA

There seems to be something to do with the 60s TTL versus the 30s TTL when going against 1.1.1.1, occasionally the Cloudflared returns 60s TTLs, and other times, it’s 30s TTLs.

Just a guess, but the type bitmap in the name’s NSEC3 record says that there are no A records. A resolver might learn that somehow and start synthesizing negative A responses.

Or maybe there’s a geoip issue or something and it really isn’t returning any records?

$ dig +dnssec mygreatlakes.org aaaa

; <<>> DiG 9.15.0-Ubuntu <<>> +dnssec mygreatlakes.org aaaa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41936
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;mygreatlakes.org.              IN      AAAA

;; AUTHORITY SECTION:
mygreatlakes.org.       60      IN      SOA     dnsg1.glhec.org. hostmaster.glhec.org. 2019040502 10800 3600 604800 60
mygreatlakes.org.       60      IN      RRSIG   SOA 8 2 60 20190619162917 20190612162917 59238 mygreatlakes.org. VnReSv5t3W75Y4nXWCHFjstAAXagGM/NeSLUzys8HR7TW/CbRmzvt2or azjhPKBswdME51VzKo+d58sv8tbgpcVvB3ZpGvjBP7Tw8leGb5XtyLUn S1z0V/lNbBjsaAtLXl6ykbxPZLCln+9oazYWlGycV6mvawg5m+/e72Jp CKs=
h0nb3mhsvhcgkj9jks9guthbp1u23vrn.mygreatlakes.org. 60 IN NSEC3 1 0 1 D0397A161F88C6DE H0NB3MHSVHCGKJ9JKS9GUTHBP1U23VRO NS SOA RRSIG DNSKEY NSEC3PARAM
h0nb3mhsvhcgkj9jks9guthbp1u23vrn.mygreatlakes.org. 60 IN RRSIG NSEC3 8 3 60 20190621214654 20190614214654 59238 mygreatlakes.org. Mvls3yXtBOtCwBUGC5w0SjgxSvvhL9DN/SIbKoWsfkBta7LLC3H8rEW9 qNQIdOK7Uy/PFhJeXrxZPE1ml7VS1HPkYentRmX7T62g79LkTlNT8+XK DI4iDiuXkeR2jC7q3LvmqocjCuz0Y6YIZA/Na0os0VMCn3hw4UB0Ul0W Q98=

;; Query time: 52 msec
;; SERVER: ::1#53(::1)
;; WHEN: Sat Jun 15 09:45:57 UTC 2019
;; MSG SIZE  rcvd: 544

The zone’s negative TTL is 60 seconds.

Edit:

Are you using the same GSLB from this thread?

It’s not my domain/site, I am trying to reach the site and trying to troubleshoot my DNS configuration to determine why it’s not working intermittently. I use pihole with Cloudflared for DNS over HTTPS.

Well… The site’s authoritative DNS servers have a bug, and it will work intermittently depending on what the resolver has cached.

(Most resolvers don’t support aggressive NSEC3 yet, so only 1.1.1.1 and other Knot Resolver deployments are affected.)