I have customers that have switched to your 188.8.131.52 and 184.108.40.206 for their DNS needs and now they are complaining to me that certain sites are unreachable.
I looked in to this and determined that Cloudflare’s DNS service has issues working with authoritative DNS servers that have a moderate amount of network latency (>30ms). I looked further into this and found an interesting article that discusses DNS Recursion Timeout Vulnerability’s. See https://pdfs.semanticscholar.org/e1a2/d5d279a3238f5a52052318c3179253c28260.pdf for details.
My tests shows Google’s DNS at 220.127.116.11 never gave a false SERVFAIL nor NXDOMAIN whereas Cloudflare 18.104.22.168 would from time to time. Based on the above article, it appears that Cloudflare’s resolving DNS servers are suffering from one or more of the following:
- Insufficient memory
- Insufficient pending recursive queue depth
- Active Denial-of-Service (DoS) or Distributed Denial-of-Service (DDoS) attack
So using Cloudflare’s DNS at 22.214.171.124 and/or 126.96.36.199 may subject the end user to an occasional SERVFAIL or NXDOMAIN DNS query response if the domain they are reaching out to exists on an authoritative DNS server with network latency that exceeds Cloudflare’s response parameters.
Hopefully Cloudflare is aware of this issue and are working on a solution.