Is my ISP blocking cloudflare DNS? (Mongolia)

My ISP is Unitel/Univision in Mongolia. I’ve been trying to set Cloudflare as my DNS with no luck. I’ve tried several other DNS services but only Google’s DNS works.

dig example.com @1.1.1.1

; <<>> DiG 9.13.0 <<>> example.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

dig example.com @1.0.0.1

; <<>> DiG 9.13.0 <<>> example.com @1.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached

dig example.com @8.8.8.8

; <<>> DiG 9.13.0 <<>> example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31209
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.                   IN      A

;; ANSWER SECTION:
example.com.            4714    IN      A       93.184.216.34

;; Query time: 76 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Jun 10 12:47:33 +08 2018
;; MSG SIZE  rcvd: 56

dig +short CHAOS TXT id.server @1.1.1.1
;; connection timed out; no servers could be reached

dig +short CHAOS TXT id.server @1.0.0.1
;; connection timed out; no servers could be reached

dig @ns3.Cloudflare.com whoami.Cloudflare.com txt +short

; <<>> DiG 9.13.0 <<>> @ns3.Cloudflare.com whoami.Cloudflare.com txt +short
; (4 servers found)
;; global options: +cmd
;; connection timed out; no servers could be reached

http://dnsviz.net/d/google.mn/dnssec/

tracepath 1.1.1.1
 1?: [LOCALHOST]                      pmtu 1500
 1:  _gateway                                              0.251ms 
 1:  _gateway                                              0.157ms 
 2:  192.168.1.1                                           1.175ms 
 3:  10.180.28.235                                         1.027ms pmtu 1492
 3:  10.180.0.1                                            3.243ms 
 4:  10.128.14.13                                          4.541ms 
 5:  10.128.14.22                                          4.326ms 
 6:  180.149.95.169                                        4.015ms 
 7:  180.149.92.9                                          4.070ms 
 8:  180.149.92.2                                          4.093ms 
 9:  180.149.95.37                                        57.795ms 
10:  no reply
11:  no reply
12:  no reply
13:  no reply
14:  no reply
15:  no reply
16:  no reply
17:  no reply
18:  no reply
19:  no reply
20:  no reply
21:  no reply
22:  no reply
23:  no reply
24:  no reply
25:  no reply
26:  no reply
27:  no reply
28:  no reply
29:  no reply
30:  no reply
     Too many hops: pmtu 1492
     Resume: pmtu 1492

tracepath 1.0.0.1
 1?: [LOCALHOST]                      pmtu 1500
 1:  _gateway                                              0.227ms 
 1:  _gateway                                              0.150ms 
 2:  192.168.1.1                                           0.935ms 
 3:  10.180.28.235                                         0.984ms pmtu 1492
 3:  10.180.0.1                                           53.892ms 
 4:  10.128.14.13                                          4.138ms 
 5:  10.128.14.22                                          4.224ms 
 6:  180.149.95.169                                        3.991ms 
 7:  180.149.92.9                                          3.903ms 
 8:  180.149.92.6                                          4.013ms 
 9:  180.149.95.37                                        57.761ms 
10:  no reply
11:  no reply
12:  no reply
13:  no reply
14:  no reply
15:  no reply
16:  no reply
17:  no reply
18:  no reply
19:  no reply
20:  no reply
21:  no reply
22:  no reply
23:  no reply
24:  no reply
25:  no reply
26:  no reply
27:  no reply
28:  no reply
29:  no reply
30:  no reply
     Too many hops: pmtu 1492
     Resume: pmtu 1492

curl

curl -v "https://1.1.1.1/dns-query?ct=application/dns-json&name=Cloudflare.com"
*   Trying 1.1.1.1...
* TCP_NODELAY set
* Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=*.Cloudflare-dns.com
*  start date: Mar 30 00:00:00 2018 GMT
*  expire date: Mar 25 12:00:00 2020 GMT
*  subjectAltName: host "1.1.1.1" matched cert's IP address!
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56265f1dd080)
> GET /dns-query?ct=application/dns-json&name=Cloudflare.com HTTP/2
> Host: 1.1.1.1
> User-Agent: curl/7.60.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 200 
< date: Sun, 10 Jun 2018 05:13:43 GMT
< content-type: application/dns-json
< content-length: 289
< access-control-allow-origin: *
< cache-control: max-age=127
< server: Cloudflare-nginx
< cf-ray: 428959b11f62334f-HKG
< 
* Connection #0 to host 1.1.1.1 left intact
{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": true,"CD": false,"Question":[{"name": "Cloudflare.com.", "type": 1}],"Answer":[{"name": "Cloudflare.com.", "type": 1, "TTL": 127, "data": "198.41.215.162"},{"name": "Cloudflare.com.", "type": 1, "TTL": 127, "data": "198.41.214.162"}]}

I would appreciate it if anyone can direct me in the right direction, thanks.

Hi @tengisu, your best chance is probably to ask your ISP (we’ll reach out as well to see if there’s something we can do).

Hi @tengisu, we informedj Unitel and we made our own test, It looks like 1.1.1.1 is working fine form Unitel s network right now.
Would you please try again and let us know if it is not?

Thank you @Frankie.H,

I just tried again, still can’t reach any servers. Tried both 1.1.1.1 and 1.0.0.1

dig example.com @1.1.1.1

; <<>> DiG 9.13.0 <<>> example.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

Here is the curl output

*   Trying 1.1.1.1...
* TCP_NODELAY set
* Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=*.Cloudflare-dns.com
*  start date: Mar 30 00:00:00 2018 GMT
*  expire date: Mar 25 12:00:00 2020 GMT
*  subjectAltName: host "1.1.1.1" matched cert's IP address!
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55e363803080)
> GET /dns-query?ct=application/dns-json&name=Cloudflare.com HTTP/2
> Host: 1.1.1.1
> User-Agent: curl/7.60.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 200 
< date: Fri, 15 Jun 2018 10:55:51 GMT
< content-type: application/dns-json
< content-length: 289
< access-control-allow-origin: *
< cache-control: max-age=407
< server: Cloudflare-nginx
< cf-ray: 42b481bccf6732e9-HKG
< 
* Connection #0 to host 1.1.1.1 left intact
{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": true,"CD": false,"Question":[{"name": "Cloudflare.com.", "type": 1}],"Answer":[{"name": "Cloudflare.com.", "type": 1, "TTL": 407, "data": "198.41.215.162"},{"name": "Cloudflare.com.", "type": 1, "TTL": 407, "data": "198.41.214.162"}]}

I compared this with the old one and there are some differences.

If it seems to be fine from your end is it possible the issue lies with my own routers and switches?

Hi @mvavrusa,

I’ve just sent an email to my ISP asking what’s up. It could be a few days before I get a response though. Hoping it wont be too long.

You seem to be able to reach 1.1.1.1 node in HKG over HTTPS, so it seems just the port 53 (DNS), or all UDP traffic is filtered either at your gateway or ISP. You could set up a Cloudflared or dnscrypt-proxy tunnel over HTTPS if you can’t get regular DNS to work.

This topic was automatically closed after 14 days. New replies are no longer allowed.