DNS failing to resolve

Hello! I am currently experiencing issues when resolving a domain:

confluence.cornell.edu

Here are the results when I dig with 1.1.1.1:

; <<>> DiG 9.10.6 <<>> confluence.cornell.edu @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2928
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 06 ("..")
; OPT=15: 00 16 ("..")
;; QUESTION SECTION:
;confluence.cornell.edu.		IN	A

;; Query time: 174 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Dec 02 12:53:47 EST 2021
;; MSG SIZE  rcvd: 63

And 1.0.0.1:

; <<>> DiG 9.10.6 <<>> confluence.cornell.edu @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 20223
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 06 ("..")
; OPT=15: 00 16 ("..")
;; QUESTION SECTION:
;confluence.cornell.edu.		IN	A

;; Query time: 153 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Thu Dec 02 12:54:04 EST 2021
;; MSG SIZE  rcvd: 63

When I use Google DNS it resolves:

; <<>> DiG 9.10.6 <<>> confluence.cornell.edu @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42784
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;confluence.cornell.edu.		IN	A

;; ANSWER SECTION:
confluence.cornell.edu.	21012	IN	CNAME	199-102-164-156.contegix.com.
199-102-164-156.contegix.com. 300 IN	A	199.102.164.156

;; Query time: 178 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Dec 02 12:54:31 EST 2021
;; MSG SIZE  rcvd: 109

Now, here’s the interesting part. Note that there’s a CNAME response. If I dig for the CNAME, I get the correct response:

; <<>> DiG 9.10.6 <<>> confluence.cornell.edu CNAME @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60553
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;confluence.cornell.edu.		IN	CNAME

;; ANSWER SECTION:
confluence.cornell.edu.	86400	IN	CNAME	199-102-164-156.contegix.com.

;; Query time: 35 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Dec 02 12:55:10 EST 2021
;; MSG SIZE  rcvd: 93

Then if I dig for the contegix.com domain’s A record, I get nothing:

; <<>> DiG 9.10.6 <<>> 199-102-164-156.contegix.com A @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 58896
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 06 ("..")
; OPT=15: 00 16 ("..")
;; QUESTION SECTION:
;199-102-164-156.contegix.com.	IN	A

;; Query time: 235 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Dec 02 12:56:27 EST 2021
;; MSG SIZE  rcvd: 69

I’m accessing EWR for both. I couldn’t generate a link from 1.1.1.1/help, but here is all of the information:

  • Connected to 1.1.1.1: yes
  • Using DNS over HTTPS (DoH): yes
  • Using DNS over TLS (DoT): no
  • Using DNS over WARP: no
  • AS Name: won’t load on the website, but it is CORNELL
  • AS Number: won’t load on the website, but it is 26
  • I’m connected to 1.1.1.1 and 1.0.0.1, but not 2606:4700:4700::1111 or 2606:4700:4700::1001

Thanks for your help!

Looks like they (contegix.com) are blocking queries from Cloudflare’s network on their nameservers. This is on Cloudflare’s WARP:

~> dig @ns1.contegix.com. confluence.cornell.edu

; <<>> DiG 9.10.6 <<>> @ns1.contegix.com. confluence.cornell.edu
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 56641
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;confluence.cornell.edu.		IN	A

;; Query time: 114 msec
;; SERVER: 199.193.196.167#53(199.193.196.167)
;; WHEN: Thu Dec 02 19:39:41 CET 2021
;; MSG SIZE  rcvd: 51

This is on my own network:

~> dig @ns1.contegix.com. confluence.cornell.edu

; <<>> DiG 9.10.6 <<>> @ns1.contegix.com. confluence.cornell.edu
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55481
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;confluence.cornell.edu.		IN	A

;; ANSWER SECTION:
confluence.cornell.edu.	20385	IN	CNAME	199-102-164-156.contegix.com.
199-102-164-156.contegix.com. 300 IN	A	199.102.164.156

;; Query time: 450 msec
;; SERVER: 199.193.196.167#53(199.193.196.167)
;; WHEN: Thu Dec 02 19:39:53 CET 2021
;; MSG SIZE  rcvd: 109

I would contact Contegix or Cornell for this. This is unsolvable by Cloudflare.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.