Have problems with 1.1.1.1? *Read Me First*

troubleshooting

#1

Here are some tips for troubleshooting if you are having issues using Cloudflare’s Resolver. Please take a moment to review them along with the information that will help us to understand and help diagnose any issues. There are two sections to this guide. The first is for troubleshooting name resolution errors/issues and the second is for unreachability or routing issues.

New Diagnostic Tool We have a new diagnostic tool which can help gather some of the information requested below. If you copy the result from https://cloudflare-dns.com/help/ to your ticket it will help immensely.

Dig Tutorial

Troubleshooting Name Resolution Issues

  1. Please search the forum to see if the domain you are reporting already has an entry (feel free to add your comments to it, if it does).
  2. Please provide the following tests from your location if possible and include it with your report.

UNIX (Linux/macOS)

dig example.com @1.1.1.1
dig example.com @1.0.0.1
dig example.com @8.8.8.8
dig +short CHAOS TXT id.server @1.1.1.1
dig +short CHAOS TXT id.server @1.0.0.1

And if you are willing to share information about your network block, please include the output of this next command as well. Note: This does reveal your IP address, so if you aren’t comfortable sharing we understand.
dig @ns3.cloudflare.com whoami.cloudflare.com txt +short

Windows

nslookup example.com 1.1.1.1
nslookup example.com 1.0.0.1
nslookup example.com 8.8.8.8
nslookup -class=chaos -type=txt id.server 1.1.1.1
nslookup -class=chaos -type=txt id.server 1.0.0.1

And if you are willing to share information about your network block, please include the output of this next command as well. Note: This does reveal your IP address, so if you aren’t comfortable sharing we understand.
nslookup -type=txt whoami.cloudflare.com ns3.cloudflare.com

Those first two tests should show what the Cloudflare resolver provides vs. Google’s resolver and the 3rd test should report which of our nameserver locations you are connected to.

  1. If you want to go the extra mile, doing a test at http://dnsviz.net/ and posting a link to the results can often be helpful as well.
  2. Please include any additional information about the domain/ lookup that you think might be helpful or relevant.

Troubleshooting Unreachability or Routing Issues

  1. Please search the forum for your country name and ISP to see if the issue may have already been reported. If it has please review that post and add any comments you may have to it rather than creating a new post.
  2. Please provide a traceroute for both 1.1.1.1 and 1.0.0.1 (even if you can reach one and not the other).

UNIX (Linux/macOS)

traceroute 1.1.1.1
traceroute 1.0.0.1

Windows

tracert 1.1.1.1
tracert 1.0.0.1

  1. If you believe Cloudflare’s route is suboptimal, please provide a traceroute to a DNS server which you believe has better routing (we can’t always improve routing, but it’s helpful to have information/context when we communicate with ISPs and network providers).
  2. If the traceroute reaches Cloudflare please also include the output for

UNIX (Linux/macOS)

dig +short CHAOS TXT id.server @1.1.1.1
dig +short CHAOS TXT id.server @1.0.0.1

Bonus points if you include these 2:
dig +tcp @1.1.1.1 id.server CH TXT
dig +tcp @1.0.0.1 id.server CH TXT

Windows

nslookup -class=chaos -type=txt id.server 1.1.1.1
nslookup -class=chaos -type=txt id.server 1.0.0.1

Bonus points if you include these 2:
nslookup -vc -class=chaos -type=txt id.server 1.1.1.1
nslookup -vc -class=chaos -type=txt id.server 1.0.0.1

  1. For DNS over TLS issues:

UNIX (Linux/macOS)

openssl s_client -connect 1.1.1.1:853
openssl s_client -connect 1.0.0.1:853

Gold star :star: if you also include:
kdig +tls @1.1.1.1 id.server CH TXT
kdig +tls @1.0.0.1 id.server CH TXT

Windows

As Windows does not have openssl installed and it does not have an alternative to kdig this step requires UNIX

  1. For DNS over HTTPS (DoH) connectivity issues please also run the command below and paste the results of the file in your report as well:

UNIX (Linux/macOS)

curl -v ‘https://1.1.1.1/dns-query?ct=application/dns-json&name=cloudflare.com

Windows

As Windows does not have an alternative to curl this step requires UNIX

  1. If your traceroute dies at the first hop, your issue is almost certainly hardware related, your router may have a hardcoded route for 1.1.1.1. If that is the case, please provide the make/model of your router as well as your ISP.

  2. Please also consider opening a ticket with your ISP for unreachability or routing related problems as well. We try very hard to work with other network providers when a problem is discovered, but sometimes those providers have other priorities. Your feedback to them helps them to determine this is an issue worth investigating.

Finally… Thank you, thank you, thank you :orange_heart:
We very much appreciate that you are using Cloudflare’s public resolver and we’re sorry that you encountered an issue that requires some troubleshooting on your part. Your willingness to help us determine the cause of the issue by providing diagnostic information is appreciated.


Configure DNS Manually
CloudFlare Dns not working in India.ISP Airtel May have blocked it
1.1.1.1 issues with Hathway (India)
Cloudflared DoH 1.1.1.1 failed to perform an HTTPS request
1.1.1.1 not reachable on Telefonica de Argentina/Movistar/Speedy ISP
1.1.1.1 can't reach US .mil websites
1.1.1.1 unable to resolve MX of SFDC, only in Toronto area
Simple questions: CloudFlare DNS-over-TLS
1.1.1.1 can’t be reached isp tedata egypt
Possible to Use 1.1.1.1 with CenturyLink?
1.1.1.1 cannot resolve google sites
Specify AnyCast servers to use when using 1.1.1.1
1.1.1.1 Android 6.0.1
Serious slowdown in Brooklyn, NY
DNS provider makes wrong destination IP address
High ping in algeria using cloudflare dns
Cannot resolve nbp.pl
Unable to reach a sub site from Chamberlain.edu
1.1.1.1 still not working from Telecom Argentina
1.1.1.1 still doesn't work on Orange France
1.1.1.1 not showing correct data for bsrgroup.com.au (8.8.8.8 and 1.0.0.1 are fine)
Why the dns 1.0.0.1 is faster than 1.1.1.1 for me?
NXDOMAIN/SERVFAIL for google.com from 1.0.0.1 (Amsterdam/NL)
DNS recursion Timeout Vulnerability
DoH connectivity issues in UK
Help accessing 1.1.1.1
Serious issues to in uk
1.1.1.1 is not working with Hathway Broadband (Indian ISP)
Cloudfare DNS blocked with ACT ISP in India
1.1.1.1 not reachable on TATA India network and 1.0.0.1 high latency
Cloudflare Peerings in India
#2

#3

Additional Info:
It was pointed out to me quite quickly by our DNS and Network gurus that the above guide lacks love for IPv6.

For any of the commands above which use 1.1.1.1 or 1.0.0.1 the IPv6 addresses of Cloudflare’s servers can also be used. Those addresses are:

2606:4700:4700::1111 and 2606:4700:4700::1001

How to install kdig
On macOS: brew install knot
On Linux: apt-get install knot
On freeBSD: pkg install knot


#4

#5