Cloudflare's public DNS cannot resolve ftp.ru.debian.org

Website, Application, Performance DNS & Network
1

What is the name of the domain?

ftp.ru.debian.org

What is the error number?

RCODE:2

What is the error message?

SERVFAIL

What is the issue you’re encountering

1.1.1.1 and 1.0.0.1 fail to resolve ftp.ru.debian.org and its underlying host mirror.mephi.ru

What feature, service or problem is this related to?

DNS not responding/updating

What are the steps to reproduce the issue?

$ nslookup ftp.ru.debian.org 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1#53

** server can't find ftp.ru.debian.org: SERVFAIL

$ nslookup ftp.ru.debian.org 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
ftp.ru.debian.org       canonical name = mirror.mephi.ru.
mirror.mephi.ru canonical name = mirror.campus.mephi.ru.
mirror.campus.mephi.ru  canonical name = point.mephi.ru.
Name:   point.mephi.ru
Address: 85.143.112.112

$ nslookup mirror.mephi.ru 1.1.1.1
Server:         1.1.1.1
Address:        1.1.1.1#53

** server can't find mirror.mephi.ru: SERVFAIL
2

Works for me:

dig ftp.ru.debian.org @1.1.1.1

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> ftp.ru.debian.org @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43201
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ftp.ru.debian.org.             IN      A

;; ANSWER SECTION:
ftp.ru.debian.org.      292     IN      CNAME   mirror.mephi.ru.
mirror.mephi.ru.        3292    IN      CNAME   mirror.campus.mephi.ru.
mirror.campus.mephi.ru. 10492   IN      CNAME   point.mephi.ru.
point.mephi.ru.         3292    IN      A       85.143.112.112

;; Query time: 3 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Tue Apr 15 19:18:46 CEST 2025
;; MSG SIZE  rcvd: 139
3

I’ve tried both nslookup and dig on multiple servers in Russia, Germany, France and the US, sometimes 1.1.1.1 will answer like you’ve shown, but then a second later it will respond with SERVFAIL again:

# dig ftp.ru.debian.org @1.1.1.1

; <<>> DiG 9.16.23-RH <<>> ftp.ru.debian.org @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29485
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ftp.ru.debian.org.             IN      A

;; ANSWER SECTION:
ftp.ru.debian.org.      600     IN      CNAME   mirror.mephi.ru.
mirror.mephi.ru.        3600    IN      CNAME   mirror.campus.mephi.ru.
mirror.campus.mephi.ru. 10800   IN      CNAME   point.mephi.ru.
point.mephi.ru.         3600    IN      A       85.143.112.112

;; Query time: 4169 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Apr 16 11:50:02 CDT 2025
;; MSG SIZE  rcvd: 139

# dig ftp.ru.debian.org @1.1.1.1

; <<>> DiG 9.16.23-RH <<>> ftp.ru.debian.org @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 16340
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (at delegation mephi.ru.)
;; QUESTION SECTION:
;ftp.ru.debian.org.             IN      A

;; Query time: 5 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Apr 16 11:50:07 CDT 2025
;; MSG SIZE  rcvd: 75

For me it returns SERVFAIL more often than the correct IP address on all servers. I’ve asked some other people to replicate this, most receive the SERVFAIL as well, but some get the correct answer only. I can’t figure out the pattern here, seems unrelated to the physical location of the caller.

4

I’ve tried again just now. The problem seems to be that the mephi.ru nameservers fail to respond via IPv6 most of the time (all the time?).

Everything works fine via IPv4.

dig +short ns.mephi.RU
85.143.112.3

dig +short ns.mephi.RU aaaa
2001:b08:22:85::3

dig mirror.mephi.ru @2001:b08:22:85::3
;; communications error to 2001:b08:22:85::3#53: timed out
;; communications error to 2001:b08:22:85::3#53: timed out
;; communications error to 2001:b08:22:85::3#53: timed out

dig mirror.mephi.ru @85.143.112.3

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> mirror.mephi.ru @85.143.112.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38997
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 3, ADDITIONAL: 6
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mirror.mephi.ru.               IN      A

;; ANSWER SECTION:
mirror.mephi.ru.        3600    IN      CNAME   mirror.campus.mephi.ru.
mirror.campus.mephi.ru. 10800   IN      CNAME   point.mephi.ru.
point.mephi.ru.         3600    IN      A       85.143.112.112

;; AUTHORITY SECTION:
mephi.ru.               3600    IN      NS      agora.mephi.ru.
mephi.ru.               3600    IN      NS      dns2.mephi.ru.
mephi.ru.               3600    IN      NS      ns.mephi.ru.

;; ADDITIONAL SECTION:
ns.mephi.ru.            3600    IN      A       85.143.112.3
ns.mephi.ru.            3600    IN      AAAA    2001:b08:22:85::3
dns2.mephi.ru.          3600    IN      A       85.143.112.8
agora.mephi.ru.         3600    IN      A       85.143.112.2
agora.mephi.ru.         3600    IN      AAAA    2001:b08:22:85::2

;; Query time: 43 msec
;; SERVER: 85.143.112.3#53(85.143.112.3) (UDP)
;; WHEN: Wed Apr 16 19:14:58 CEST 2025
;; MSG SIZE  rcvd: 268
5

Interesting, thank you for the research. I’ll mail MEPhI mirror admins then and hope they figure out their nameservers.

I think it would be better if 1.1.1.1 responded with what records it could get via IPv4 instead of failing the request on an IPv6 timeout.

6

A post was split to a new topic: Cloudflare blocked in Russia