DoH mozilla.cloudflare-dns.com resolves bad Google's CDN for me

I’m using Cloudflare provider mozilla.cloudflare-dns.com for DoH in Firefox, and it resolves Google’s CDNs in India, which results in longer page loading times due to 500ms ping.

Meanwhile, cloudflare-dns.com picks Sweden CDN with 100ms ping, and both Google and Youtube become more responsive.

curl https://mozilla.cloudflare-dns.com/dns-query (bad cdn)
> curl -v --http2 -H "accept: application/dns-json" "https://mozilla.cloudflare-dns.com/dns-query?name=google.com"
* Host mozilla.cloudflare-dns.com:443 was resolved.
* IPv6: 2803:f800:53::4, 2a06:98c1:52::4
* IPv4: 162.159.61.4, 172.64.41.4
*   Trying 162.159.61.4:443...
* Connected to mozilla.cloudflare-dns.com (162.159.61.4) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=mozilla.cloudflare-dns.com
*  start date: Dec  1 05:46:42 2023 GMT
*  expire date: Feb 29 05:46:41 2024 GMT
*  subjectAltName: host "mozilla.cloudflare-dns.com" matched cert\'s "mozilla.cloudflare-dns.com"
*  issuer: C=US; O=Let\'s Encrypt; CN=E1
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://mozilla.cloudflare-dns.com/dns-query?name=google.com
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: mozilla.cloudflare-dns.com]
* [HTTP/2] [1] [:path: /dns-query?name=google.com]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: application/dns-json]
> GET /dns-query?name=google.com HTTP/2
> Host: mozilla.cloudflare-dns.com
> User-Agent: curl/8.5.0
> accept: application/dns-json
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200 
< server: cloudflare
< date: Sun, 21 Jan 2024 08:52:55 GMT
< content-type: application/dns-json
< access-control-allow-origin: *
< content-length: 186
< cf-ray: 848e52e50a3c6132-KJA
< 
* Connection #0 to host mozilla.cloudflare-dns.com left intact
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"google.com","type":1}],"Answer":[{"name":"google.com","type":1,"TTL":287,"data":"142.250.194.174"}]}
curl https://cloudflare-dns.com/dns-query (good)
> curl -v --http2 -H "accept: application/dns-json" "https://cloudflare-dns.com/dns-query?name=google.com"
* Host cloudflare-dns.com:443 was resolved.
* IPv6: 2606:4700::6810:f8f9, 2606:4700::6810:f9f9
* IPv4: 104.16.249.249, 104.16.248.249
*   Trying 104.16.249.249:443...
* Connected to cloudflare-dns.com (104.16.249.249) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=cloudflare-dns.com
*  start date: Dec 30 00:00:00 2023 GMT
*  expire date: Jan 21 23:59:59 2025 GMT
*  subjectAltName: host "cloudflare-dns.com" matched cert\'s "cloudflare-dns.com"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1
*  SSL certificate verify ok.
*   Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 2: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://cloudflare-dns.com/dns-query?name=google.com
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: cloudflare-dns.com]
* [HTTP/2] [1] [:path: /dns-query?name=google.com]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: application/dns-json]
> GET /dns-query?name=google.com HTTP/2
> Host: cloudflare-dns.com
> User-Agent: curl/8.5.0
> accept: application/dns-json
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200 
< server: cloudflare
< date: Sun, 21 Jan 2024 08:55:33 GMT
< content-type: application/dns-json
< access-control-allow-origin: *
< content-length: 185
< cf-ray: 848e56c4aac55efe-ARN
< 
* Connection #0 to host cloudflare-dns.com left intact
{"Status":0,"TC":false,"RD":true,"RA":true,"AD":false,"CD":false,"Question":[{"name":"google.com","type":1}],"Answer":[{"name":"google.com","type":1,"TTL":185,"data":"142.250.74.174"}]}
162.159.61.4 ends in Krasnoyarsk

image

104.16.249.249 goes through Krasnoyarsk for Sweden
10. 87.229.227.241                    0.0%    12   49.1  46.4  42.8  49.8   2.5
11. pe02.Krasnoyarsk.gldn.net         0.0%    12   85.4  83.2  78.9  90.1   3.4
12. pe05.KK12.Moscow.gldn.net         0.0%    12  101.5  99.4  96.4 104.3   3.0
13. be10.tf01-02.Moscow.gldn.net      0.0%    12   98.7  97.8  95.2 102.7   2.8
14. (waiting for reply)
15. 195.89.119.221                    0.0%    12  141.9 139.1 135.5 154.3   5.5
16. cloudflare-gw.fnt.cw.net          0.0%    12  146.4 149.5 137.8 165.2   9.0
17. 172.70.248.5                      0.0%    12  141.3 147.3 138.5 195.9  16.0
18. 104.16.249.249                    0.0%    12  137.1 138.5 136.3 146.3   2.9
104.16.248.249 ends in Krasnoyarsks blackhole
10. 87.229.227.241                    0.0%     1   43.1  43.1  43.1  43.1   0.0
11. pe02.Krasnoyarsk.gldn.net         0.0%     1   81.3  81.3  81.3  81.3   0.0
12. (waiting for reply)

I’m just curious why does DoH 162.159.61.4 in Krasnoyarsk picks up Google’s CDN for India ?

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.