Got Network Error (tcp_error) from www.apple.com at Akamai Edge when using 1.1.1.1

Hi,

I have switched to use 1.1.1.1 for a few days and found many websites which use Akamai Edge having issues with 1.1.1.1 DNS

I got difference responded IP address from the DNS query (1.1.1.1 vs ISP’s), the IP from 1.1.1.1 makes a website impossible to access with Network Error (tcp_error)

Website: www.apple.com
ISP: AS17552

I tried to set static host name of www.apple.com to 118.215.126.235, was able to access the website while the IP response from 1.1.1.1 wasn’t.

The issue was happening to www.paypal.com as well.

[email protected]:
dig +noadditional +noquestion +nocomments +nocmd +nostats www.apple.com. @203.144.207.29
www.apple.com. 300 IN CNAME www.apple.com.edgekey.net.
www.apple.com.edgekey.net. 300 IN CNAME www.apple.com.edgekey.net.globalredir.akadns.net.
www.apple.com.edgekey.net.globalredir.akadns.net. 300 IN CNAME e6858.dsce9.akamaiedge.net.
e6858.dsce9.akamaiedge.net. 30 IN A 118.215.126.235

[email protected]
dig +noadditional +noquestion +nocomments +nocmd +nostats www.apple.com
www.apple.com. 1537 IN CNAME www.apple.com.edgekey.net.
www.apple.com.edgekey.net. 1060 IN CNAME www.apple.com.edgekey.net.globalredir.akadns.net.
www.apple.com.edgekey.net.globalredir.akadns.net. 701 IN CNAME e6858.dsce9.akamaiedge.net.
e6858.dsce9.akamaiedge.net. 4 IN A 96.6.70.122

I got a ping response from both 118.215.126.235 and 96.6.70.122, but the IP from 1.1.1.1 got tcp_error when accessing from the web browser.

Pinging 96.6.70.122 with 32 bytes of data:
Reply from 96.6.70.122: bytes=32 time=30ms TTL=53
Reply from 96.6.70.122: bytes=32 time=30ms TTL=53
Reply from 96.6.70.122: bytes=32 time=30ms TTL=53
Reply from 96.6.70.122: bytes=32 time=30ms TTL=53

Ping statistics for 96.6.70.122:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 30ms, Maximum = 30ms, Average = 30ms

Pinging 118.215.126.235 with 32 bytes of data:
Reply from 118.215.126.235: bytes=32 time=3ms TTL=57
Reply from 118.215.126.235: bytes=32 time=2ms TTL=57
Reply from 118.215.126.235: bytes=32 time=3ms TTL=57
Reply from 118.215.126.235: bytes=32 time=2ms TTL=57

Ping statistics for 118.215.126.235:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 3ms, Average = 2ms

Akamai may not return the IP of the closest (latency-wise) datacenter from your network due to Cloudflare intentionally not providing them your real network address.

But you should have been able to connect to the other IP, no matter what.

As a workaround, macOS supports “exceptions”: you can configure your system to use your ISP’s resolver only for specific zones. Everything else will go to Cloudflare as expected.

Since you appear to be comfortable with the command-line, here’s how to make an “exception” for edgekey.net and akamaiedge.net.

Create a /etc/resolver directory if there isn’t one already.

In that directory, create a file named edgekey.net with the following content:

nameserver 203.144.207.29

Do the same for the other zone, and for all the zones you want to be “exceptions”.

@jedisct1 Thank you for a (life-saver!) resolution