DNS Error - Rate limit?


If our universities internal (Windows) DNS Server are querying with dnssec for cdn.jsdelivr.net they get an answer only once from the Cloudflare server:

[email protected]:/etc# dig @ cdn.jsdelivr.net

After 300seconds the entry is deleted and a new query results in a Serverfail

The answer the DNS server gets from Cloudflare is: “Recursion denied”
I tested to use our external forwarders (they can resolve without recursion denied) - no change, it only
works reliably if i turn of dnssec and use the external forwarders …

Any ideas why we get a “Recursion denied” … maybe some kind of rate limits?

Kind regards

Are you saying your resolver is configured to resolve against Cloudflare-dns.com?

I just ran

$ dig +dnssec +short @ cdn.jsdelivr.net A

$ dig +dnssec +short @ cdn.jsdelivr.net A

and it worked fine several times.

no, they are using ns1.Cloudflare… - ns5.Cloudflare…

I used ben.ns.Cloudflare.com and key.ns.Cloudflare.com as conditional forwarders with similar effect

I am afraid it is not clear what the issue is.

No, what? Who is using ns1? There are such nameservers, but they are likely for internal use.

The two other nameservers you mentioned are not for this purpose either but for the resolution of domains on Cloudflare.

So in short, what exactly is the issue? For me the hostname resolves fine, as evident from the previous excerpt.

In certain regions it does seem as if the that host was tunnelled via Cloudflare


However that is just the proxy service, Cloudflare still does not manage DNS.

Thank you for the quick response, Sandro!

The problem is, that our staff and students are using services hosted on/by cdn.jsdelivr.net what is resolved by Cloudflare and that i only get a valid dns response once on the internal resolvers, if the ttl of 5 minutes is up, the internal resolvers receive a “recursion denied” from the Cloudflare servers previously asked…

And i dont have any idea how to resolve that :wink:
(There is a workaround in let the internal resolvers query the external ones and disable DNSSEC but thatt should not be a solution)

kind regards

You will need to check why the resolution fails. Cloudflare is not involved here, the domain does not use Cloudflare for DNS.

$ dig @b.gtld-servers.net jsdelivr.net NS

jsdelivr.net.		172800	IN	NS	dns1.p03.nsone.net.
jsdelivr.net.		172800	IN	NS	dns2.p03.nsone.net.
jsdelivr.net.		172800	IN	NS	dns3.p03.nsone.net.
jsdelivr.net.		172800	IN	NS	dns4.p03.nsone.net.
jsdelivr.net.		172800	IN	NS	dns31.cloudns.net.
jsdelivr.net.		172800	IN	NS	dns32.cloudns.net.
jsdelivr.net.		172800	IN	NS	dns33.cloudns.net.
jsdelivr.net.		172800	IN	NS	dns34.cloudns.net.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.