How do I report a Public DNS issue (ie issue with 1.1.1.1 etc)

I have a situation where the reverse dns for one of my servers is failing. It works fine with every other public dns server I’ve tried but not through Cloudflare. I’d like to be able to get this resolved but not sure who to contact at Cloudflare.

I’d be happy to provide the IP address in question directly to Cloudflare but I will use W.X.Y.Z here. Let’s say that this address points to example.com and that the entity that controls the subnet has configured the reverse ptr record correctly.

So, doing

host W.X.Y.Z 1.1.1.1

Produces a response of “Host Z.Y.X.W.in-addr.arpa not found: 2(SERVFAIL)”.

Doing the same thing against Google (8.8.8.8), Quad9 (9.9.9.9), Cisco (208.67.222.222) etc all work, I get the expected response of “Z.Y.X.W.in-addr.arpa domain name pointer example.com

This can cause issues with mail delivery if a recipient is only relying on Cloudflare for ptr look ups so I would like to get it resolved if possible - but not having much luck finding the right place to address it.

That makes it quite much impossible to dig in to “here”.

Will you be able to share the IP address privately, albeit we’re keeping the discussion (and potential solution) publicly?

Mail servers that are sending all their DNS queries through public DNS servers are NOT following the best practices for operating mail servers.

You can of course make heavily advanced set ups, where some queries are sent to one place, but other queries somewhere else, but such set ups are generally rare (in a perfect mail server set up).

I have the full understanding to that.

Has the IP address space W.X.Y.0/24 (W.X.Y.0 - W.X.Y.255) been allocated directly to you (or to your organisation)?

Or do you only have the single IP address W.X.Y.Z, such as e.g. on a server you’re renting from a hosting company?

2 Likes

Thanks for the reply.

I appreciate not having the IP address makes it impossible to dig into here - though that wasn’t the purpose of the post. I’m interested in finding out how to contact the group responsible for maintaining the public DNS services and provided what I thought was enough detail to indicate the type of issue it was.

I agree, the mail hosts should not be dependent on a single DNS provider. However, it does happen. More so, if Cloudflare’s public DNS servers have an issue it’s not inconceivable that other resources have the same issue.

The subnet in question is controlled by CCI. Cloudflare seems to have an issue with the complete subnet. However, all other DNS providers I’ve tested don’t have the issue. This would seem to place it pretty much in Cloudflare’s court.

Hence, who at Cloudflare does one report it too?

Troubleshooting DNS queries requires much more details, including the specific DNS query being made.

2(SERVFAIL) from e.g. host, nslookup, et al, is never enough to troubleshoot anything.

Although that is definitely a :+1: from me, it wasn’t the meant in that direction, - mail servers generally have spam filters, a lot of spam filters are depending on external reputation data, which is often served through DNS.

Many lists of such reputation lists will fail, or even cause you problems, when you forward queries through public resolvers.

CachingNameserver - SPAMASSASSIN - Apache Software Foundation

I guess the key is “if” here.

I would say pretty much not necessarily on Cloudflare’s end, or court, to use your word.

As all of these, as well as Cloudflare (1.1.1.1), are running anycast, it gets more complicated to actually place the blame compared to how it seems like you’re doing it.

When you are querying Google (8.8.8.8), you might be reach Google’s anycast PoP in Chicago, Illinois, United States.

Google’s machine in Chicago, Illinois, United States will be saying “hi, where do I go to find example.com?”, the outbound query here may be coming from the IPv4 address 198.51.100.127, for the query towards a.iana-servers.net.

Now, when I am trying the same query, and also happen to reach Chicago, Illinois, United States, Google’s machine will now be saying “hi, where do I go to find example.com?”, however, the outbound query here may be coming from the IPv4 address 192.0.2.245, for the query towards a.iana-servers.net.

Unfortunately, the operator of a.iana-servers.net have seen a hefty amount of illegitimate traffic from 198.x.x.x IP addresses, so they have blocked 198.0.0.0/8 (198.0.0.0 - 198.255.255.255) in their firewalls.

Your query will fail, however, mine will succeed, even though they are both going through Google, and in the exact same location.

You can substitute the first and second query, with different providers and so on, and the example(s) will still be valid.

That kind of example also isn’t the only kind of example that could be made, to demonstrate that you cannot just say “it works at 8.8.8.8, but not at 1.1.1.1, so 1.1.1.1 is to blame!”.

If it appears to be an issue that would actually require a fix from Cloudflare’s end (and not e.g. the other end(s) of the chain(s)), then I’m under the impression that any Cloudflare MVP can escalate the issue.

I find a couple of hits for CCI, so can you clarify?

If your IP address is W.X.Y.Z, and you go to one of these:

https://bgp.he.net/ip/W.X.Y.Z
https://bgp.tools/prefix/W.X.Y.Z

Does it then reveal the AS number AS13333?

AS13333 Consolidated Communications, Inc.?

2 Likes

I believe I’m seeing this same issue.

I have a couple domains issued by noip.com, but within the past 24 hours (roughly) they became unable to be reached from Cloudflare’s DNS.

An example:

dig dannyray.hopto.org @1.1.1.1

This results in

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (time limit exceeded)

Other DNS providers respond properly.

This works fine from everywhere I can try it.

3 Likes

Can you share what results you see, if you include “+nsid”, such as e.g.:

dig +nsid CHAOS TXT id.server @1.1.1.1 | egrep "(NSID:|EDE:|^id.server)"
dig +nsid dannyray.hopto.org @1.1.1.1 | egrep "(NSID:|EDE:|^dannyray.hopto.org)"
1 Like
~ $ dig +nsid CHAOS TXT id.server @1.1.1.1 | grep -E "(NSID:|EDE:|^id.server)"

; NSID: 35 35 37 6d 32 30 31 ("557m201")
id.server.              0       CH      TXT     "DFW"

~ $ dig +nsid dannyray.hopto.org @1.1.1.1 | grep -E "(NSID:|EDE:|^dannyray.hopto.org)"

; EDE: 22 (No Reachable Authority): (at delegation hopto.org.)
; EDE: 23 (Network Error): ([2a07:dc00:1830::53]:53 timed out for dannyray.hopto.org A)
; NSID: 31 35 6d 37 39 33 ("15m793")

The reason I dug into this is because I have a few proxied Cloudflare domains that are CNAME to one of these noip domains.

All of these just recently starting failing with Error 1016: Origin DNS error. But when using the noip domains directly, they worked fine. After digging into the issue a bit, I found this issue, and thought this might be the cause of the 1016 error.

1 Like

That authoritative server is timing out right now from a couple of locations, one of which is in Dallas, which is where you’re hitting Cloudflare’s nameserver.

https://dig.ping.pe/dannyray.hopto.org:A:2a07:dc00:1830::53

Though it is pingable and reachable from the same location, so I’m not sure what exactly that means.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.