What is the name of the domain?
What is the error number?
“server failure” in DNS response
What is the error message?
“server failure”
What is the issue you’re encountering
Currently debugging some DoT issues with security.cloudflare-dns.com, I found that there is an inconsistency which I believe is worth looking into from CF side
What steps have you taken to resolve the issue?
n/a → a cloudflare internal issue
What feature, service or problem is this related to?
DNS records
What are the steps to reproduce the issue?
Note: misusing (windows) nslookup in this test as nslookup does actually do two lookups per single call:
- reverse (ptr) of the DNS server used 2) the actual DNS record requested.
We are interested in 1).
Test (works with 1.1.1.2 or 1.1.1.3):
nslookup -type=A -norecurse -retries=1 -timeout=1 -nosearch one.one.one.one. 1.1.1.2
=> every other time, the reverse lookup (of 1.1.1.2) does not work, you get a server error, 1.1.1.2 not resolved (flags captured via Wireshark: 0x8082):
“Server: UnKnown
Address: 1.1.1.2”
Contrary, doing the same with 1.1.1.1:
nslookup -type=A -norecurse -retries=1 -timeout=1 -nosearch one.one.one.one. 1.1.1.1
=> works every time (as you would expect), the underlying load-balancing using 1.1.1.1 is NOT visible to the user:
“Server: one.one.one.one
Address: 1.1.1.1”
Note: this problem does not occur if allowing recursion, so its easy to work around.
However, I believe if there is one single identity a DNS server cluster is responding with, it should always behave in a consistent way.