DNS over HTTPS no reachable authority issue

www.rna.gov.it is not resolvable when we are in our network with public 84.18.137.252 while using dns over https, but also just using nslookup using 1.1.1.1. As we use Zero Trust I was able to see that the specific error is “no reachalbe authority”. using other networks and italian public ips it works. interstingly enough it also works when using 1.1.1.1. how is this issue resolvable?

Indeed, I can reproduce the issue that 1.1.1.1 and Zero Trust Gateway both can’t resolve the query, while Quad9, OpenDNS and Google Public DNS do reply with an IP.

$ dig www.rna.gov.it @8.8.8.8

; <<>> DiG 9.16.33-RH <<>> www.rna.gov.it @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49842
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.rna.gov.it.                        IN      A

;; ANSWER SECTION:
www.rna.gov.it.         2630    IN      A       78.6.242.230

;; Query time: 3 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Nov 14 08:33:23 CET 2022
;; MSG SIZE  rcvd: 59

$ dig www.rna.gov.it @1.1.1.1

; <<>> DiG 9.16.33-RH <<>> www.rna.gov.it @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 2390
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (at delegation rna.gov.it.)
;; QUESTION SECTION:
;www.rna.gov.it.                        IN      A

;; Query time: 893 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mon Nov 14 08:33:32 CET 2022
;; MSG SIZE  rcvd: 74

Thanks for confirming. I was wondering if Cloudflare or me myself can resolve the “no reachalbe authority” problem or it must be the nameserver of the dns.

Users of Cloudflare DNS like you and me can’t do anything about it. As it already going on for 11 days, submitting the 1.1.1.1 purge cache form won’t help either.

I’m not sure if the problem should be solved by Cloudflare or by the administrators of the gov.it authoritative nameservers.

Hi @mwurz,

I’m sorry for the delay. From what I can see, our service is not able to query the domain’s nameserver ns[12].dgiai.gov.it.. We’ll try to contact the other side to see what is going on.