I have customers that have switched to your 18.104.22.168 and 22.214.171.124 for their DNS needs and now they are complaining to me that certain sites are unreachable.
I looked in to this and determined that Cloudflare’s DNS service has issues working with authoritative DNS servers that have a moderate amount of network latency (>30ms). I looked further into this and found an interesting article that discusses DNS Recursion Timeout Vulnerability’s. See https://pdfs.semanticscholar.org/e1a2/d5d279a3238f5a52052318c3179253c28260.pdf for details.
My tests shows Google’s DNS at 126.96.36.199 never gave a false SERVFAIL nor NXDOMAIN whereas Cloudflare 188.8.131.52 would from time to time. Based on the above article, it appears that Cloudflare’s resolving DNS servers are suffering from one or more of the following:
- Insufficient memory
- Insufficient pending recursive queue depth
- Active Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack
So using Cloudflare’s DNS at 184.108.40.206 and/or 220.127.116.11 may subject the end user to an occasional SERVFAIL or NXDOMAIN DNS query response if the domain they are reaching out to exists on an authoritative DNS server with network latency that exceeds Cloudflare’s response parameters.
Hopefully Cloudflare is aware of this issue and are working on a solution.