Intermittent "Server Not Found" when using DoH

I’ve been using Cloudflare for my main DNS for some time. After recent upgrade of Firefox enabled DoH, I have one site that is intermittently failing to resolve through the browser. I’ll get a Server not Found, click retry, and 75% of the time it will work from there. I’ve disabled DoH in my browser and that seems to have taken care of it - wanted to report the issue and provide what info I could.

I have no idea if this would be related, but in case it’s relevant to the DoH queries - I had an issue when I first started using Cloudflare DNS with this same site not being found at all: Previous Ticket

dig www.funfile.org 883 @1.1.1.1
; <<>> DiG 9.11.14-RedHat-9.11.14-2.fc31 <<>> www.funfile.org 883 @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28241
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www.funfile.org. IN A

;; ANSWER SECTION:
www.funfile.org. 1450 IN CNAME www.geo.funfile.org.
www.geo.funfile.org. 495 IN A 167.114.66.114

;; Query time: 6 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Mar 14 00:19:39 PDT 2020
;; MSG SIZE rcvd: 82

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55343
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;883. IN A

;; AUTHORITY SECTION:
. 7995 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020031400 1800 900 604800 86400

;; Query time: 7 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Mar 14 00:19:39 PDT 2020
;; MSG SIZE rcvd: 107

dig www.funfile.org 883 @1.0.0.1
; <<>> DiG 9.11.14-RedHat-9.11.14-2.fc31 <<>> www.funfile.org 883 @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12250
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www.funfile.org. IN A

;; ANSWER SECTION:
www.funfile.org. 1439 IN CNAME www.geo.funfile.org.
www.geo.funfile.org. 484 IN A 167.114.66.114

;; Query time: 6 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Mar 14 00:19:50 PDT 2020
;; MSG SIZE rcvd: 82

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 45286
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;883. IN A

;; AUTHORITY SECTION:
. 6041 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020031400 1800 900 604800 86400

;; Query time: 5 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Sat Mar 14 00:19:50 PDT 2020
;; MSG SIZE rcvd: 107

dig www.funfile.org 883 @8.8.8.8
; <<>> DiG 9.11.14-RedHat-9.11.14-2.fc31 <<>> www.funfile.org 883 @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34810
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www.funfile.org. IN A

;; ANSWER SECTION:
www.funfile.org. 1427 IN CNAME www.geo.funfile.org.
www.geo.funfile.org. 472 IN A 167.114.66.114

;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sat Mar 14 00:20:02 PDT 2020
;; MSG SIZE rcvd: 82

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59323
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;883. IN A

;; AUTHORITY SECTION:
. 86393 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020031400 1800 900 604800 86400

;; Query time: 6 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Mar 14 00:20:02 PDT 2020
;; MSG SIZE rcvd: 107

dig +short CHAOS TXT id.server @1.1.1.1
“LAX”

dig +short CHAOS TXT id.server @1.0.0.1
“LAX”

curl -H ‘accept: application/dns-json’ ‘https://cloudflare-dns.com/dns-query?name=www.funfile.org&type=AAAA
{“Status”: 0,“TC”: false,“RD”: true, “RA”: true, “AD”: true,“CD”: false,“Question”:[{“name”: “cloudflare.com.”, “type”: 28}],“Answer”:[{“name”: “cloudflare.com.”, “type”: 28, “TTL”: 165, “data”: “2606:4700::6811:af55”},{“name”: “cloudflare.com.”, “type”: 28, “TTL”: 165, “data”: “2606:4700::6811:b055”}]}{“Status”: 0,“TC”: false,“RD”: true, “RA”: true, “AD”: true,“CD”: false,“Question”:[{“name”: “www.funfile.org.”, “type”: 28}],“Answer”:[{“name”: “www.funfile.org.”, “type”: 5, “TTL”: 1302, “data”: “www.geo.funfile.org.”},{“name”: “www.geo.funfile.org.”, “type”: 5, “TTL”: 347, “data”: “pool.funfile.org.”}],“Authority”:[{“name”: “funfile.org.”, “type”: 6, “TTL”: 7200, “data”: “ns1.funfile.org. postmaster.funfile.org. 2020031204 10800 3600 604800 7200”}]}

The NTA for this name has expired. The problem is geo.funfile.org has expired key https://dnsviz.net/d/geo.funfile.org/dnssec/ so validation is not going to work:

$ kdig @8.8.8.8 www.funfile.org
;; ->>HEADER<<- opcode: QUERY; status: SERVFAIL; id: 25018
;; Flags: qr rd ra; QUERY: 1; ANSWER: 0; AUTHORITY: 0; ADDITIONAL: 0

;; QUESTION SECTION:
;; www.funfile.org.    		IN	A

;; Received 33 B
;; Time 2020-03-18 19:31:45 PDT
;; From [email protected](UDP) in 167.0 ms

If I’m not mistaken, this is something the site owner needs to address. I’ve passed this along to them. Does this work intermittently depending on which name server is responding to the request or would that be something on their end as well?

The funfile.org will resolve fine. The www.funfile.org will not because of the DS/DNSKEY mismatch, so that’s something that has to be fixed on their end.