DNS CloudFlare 1.1.1.1 Problem Resolver

Problem in resolver dns 1.1.1.1 site https://apps.anatel.gov.br

PS C:\Users\leand> nslookup apps.anatel.gov.br 1.1.1.1
Servidor: one.one.one.one
Address: 1.1.1.1

DNS request timed out.
timeout was 2 seconds.
*** one.one.one.one não encontrou apps.anatel.gov.br: Server failed
PS C:\Users\leand> nslookup apps.anatel.gov.br 1.0.0.1
Servidor: one.one.one.one
Address: 1.0.0.1

DNS request timed out.
timeout was 2 seconds.
*** one.one.one.one não encontrou apps.anatel.gov.br: Server failed
PS C:\Users\leand> nslookup apps.anatel.gov.br 8.8.8.8
Servidor: dns.google
Address: 8.8.8.8

Não é resposta autoritativa:
Nome: apps.anatel.gov.br
Address: 200.0.81.97

PS C:\Users\leand> tracert 1.1.1.1

Rastreando a rota para one.one.one.one [1.1.1.1]
com no máximo 30 saltos:

1 <1 ms <1 ms <1 ms 192.168.15.1
2 * * * Esgotado o tempo limite do pedido.
3 4 ms 3 ms 3 ms 152-255-152-242.user.vivozap.com.br [152.255.152.242]
4 * * * Esgotado o tempo limite do pedido.
5 * * * Esgotado o tempo limite do pedido.
6 6 ms 7 ms 6 ms 84.16.7.102
7 8 ms * 8 ms 213.140.36.62
8 8 ms 11 ms * 5.53.0.157
9 8 ms 8 ms 8 ms 172.71.15.2
10 7 ms 6 ms 7 ms one.one.one.one [1.1.1.1]

Rastreamento concluído.

PS C:\Users\leand> tracert 9.9.9.9

Rastreando a rota para dns9.quad9.net [9.9.9.9]
com no máximo 30 saltos:

1 <1 ms <1 ms <1 ms 192.168.15.1
2 * * * Esgotado o tempo limite do pedido.
3 2 ms 3 ms 3 ms 152-255-152-240.user.vivozap.com.br [152.255.152.240]
4 * * 3 ms 152-255-167-76.user.vivozap.com.br [152.255.167.76]
5 * * * Esgotado o tempo limite do pedido.
6 6 ms 6 ms 5 ms ae30.3000.edge1.gru2.as7195.net [200.25.56.80]
7 35 ms 9 ms 6 ms ae20.0.edge5.gru1.as7195.net [200.25.51.134]
8 20 ms 6 ms 6 ms ae2.0.edge1.gru1.as7195.net [200.25.51.38]
9 6 ms 13 ms 6 ms 200.25.56.83
10 5 ms 5 ms 5 ms dns9.quad9.net [9.9.9.9]

Rastreamento concluído.

PS C:\Users\leand> nslookup apps.anatel.gov.br 9.9.9.9
Servidor: dns9.quad9.net
Address: 9.9.9.9

Não é resposta autoritativa:
Nome: apps.anatel.gov.br
Address: 200.0.81.97

It looks like the root of the problem is the nameservers for anatel.gov.br are broken over IPv6

dig apps.anatel.gov.br -6 @anatelns1.anatel.gov.br - Doesn’t work
dig apps.anatel.gov.br -4 @anatelns1.anatel.gov.br - Works

anatelns1.anatel.gov.br. 1800 IN A 200.0.81.67
anatelns2.anatel.gov.br. 1800 IN A 200.0.81.68
anatelns1.anatel.gov.br. 1800 IN AAAA 2801:80:c90:c1da:da0::67
anatelns2.anatel.gov.br. 1800 IN AAAA 2801:80:c90:c1da:da0::68

None of the IPv6’s for ns1 or ns2, 2801:80:c90:c1da:da0::67 or 2801:80:c90:c1da:da0::68, work.

dig apps.anatel.gov.br @2801:80:c90:c1da:da0::67

; <<>> DiG 9.16.37-Debian <<>> apps.anatel.gov.br @2801:80:c90:c1da:da0::67
;; global options: +cmd
;; connection timed out; no servers could be reached

If you have any contact with that website, tell them their nameservers are broken over IPv6

As for why the other DNS Resolvers (8.8.8.8 and 9.9.9.9) work, I would assume they prefer or fall back to IPv4.

3 Likes