Hi, since recently I’m having troubles connecting do Cloudflare’s dns over https from a firewalled network:
I’d like to be sure if there’s something I can do, or I should start paying for a vpn.
Following cscharff’s suggestions here are the tests results:
https://1.1.1.1/help: https://1.1.1.1/help#eyJpc0NmIjoiTm8iLCJpc0RvdCI6Ik5vIiwiaXNEb2giOiJObyIsInJlc29sdmVySXAtMS4xLjEuMSI6IlllcyIsInJlc29sdmVySXAtMS4wLjAuMSI6IlllcyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjExMTEiOiJObyIsInJlc29sdmVySXAtMjYwNjo0NzAwOjQ3MDA6OjEwMDEiOiJObyIsImRhdGFjZW50ZXJMb2NhdGlvbiI6Ik1YUCIsImlzcE5hbWUiOiJFLU1pbmQgU3JsIiwiaXNwQXNuIjoiNDk1MzUifQ==
Tests1
C:\WINDOWS\system32>nslookup example.com 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1
Non-authoritative answer:
Name: example.com
Addresses: 2606:2800:220:1:248:1893:25c8:1946
93.184.216.34
C:\WINDOWS\system32>nslookup example.com 1.0.0.1
Server: one.one.one.one
Address: 1.0.0.1
Non-authoritative answer:
Name: example.com
Addresses: 2606:2800:220:1:248:1893:25c8:1946
93.184.216.34
C:\WINDOWS\system32>nslookup example.com 8.8.8.8
Server: dns.google
Address: 8.8.8.8
Non-authoritative answer:
Name: example.com
Addresses: 2606:2800:220:1:248:1893:25c8:1946
93.184.216.34
C:\WINDOWS\system32>nslookup -class=chaos -type=txt id.server 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1
*** one.one.one.one can't find id.server: Not implemented
C:\WINDOWS\system32>nslookup -class=chaos -type=txt id.server 1.0.0.1
Server: one.one.one.one
Address: 1.0.0.1
*** one.one.one.one can't find id.server: Not implemented
Tests2
C:\WINDOWS\system32>tracert 1.1.1.1
Tracing route to one.one.one.one [1.1.1.1]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms cp.bearzi.it [10.201.0.1]
2 1 ms <1 ms <1 ms 151.14.29.146
3 6 ms 6 ms 6 ms 151.14.28.9
4 6 ms 6 ms 6 ms 151.6.48.8
5 6 ms 6 ms 6 ms 151.6.48.92
6 9 ms 20 ms 10 ms micl-n01-mica-t02-po02.wind.it [151.6.2.50]
7 11 ms 10 ms 10 ms miot-to2-rmid-t02-po02.wind.it [151.6.7.5]
8 10 ms 11 ms 14 ms cloudflare.mix-it.net [217.29.66.167]
9 9 ms 9 ms 9 ms one.one.one.one [1.1.1.1]
Trace complete.
C:\WINDOWS\system32>tracert 1.0.0.1
Tracing route to one.one.one.one [1.0.0.1]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms cp.bearzi.it [10.201.0.1]
2 <1 ms <1 ms <1 ms 151.14.29.146
3 6 ms 6 ms 22 ms 151.14.28.9
4 6 ms 6 ms 6 ms 151.6.48.8
5 6 ms 6 ms 6 ms 151.6.48.92
6 10 ms 10 ms 9 ms micl-n01-mica-t02-po02.wind.it [151.6.2.50]
7 10 ms 10 ms 10 ms 151.6.1.178
8 11 ms * * cloudflare.mix-it.net [217.29.66.167]
9 9 ms 10 ms 9 ms one.one.one.one [1.0.0.1]
Trace complete.
C:\WINDOWS\system32>nslookup -class=chaos -type=txt id.server 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1
*** one.one.one.one can't find id.server: Not implemented
C:\WINDOWS\system32>nslookup -class=chaos -type=txt id.server 1.0.0.1
Server: one.one.one.one
Address: 1.0.0.1
*** one.one.one.one can't find id.server: Not implemented
C:\WINDOWS\system32>nslookup -vc -class=chaos -type=txt id.server 1.1.1.1
Server: one.one.one.one
Address: 1.1.1.1
*** one.one.one.one can't find id.server: Not implemented
C:\WINDOWS\system32>nslookup -vc -class=chaos -type=txt id.server 1.0.0.1
Server: one.one.one.one
Address: 1.0.0.1
*** one.one.one.one can't find id.server: Not implemented
Tests3
(Invoke-WebRequest -Uri 'https://1.1.1.1/dns-query?ct=application/dns-json&name=Cloudflare.com').RawContent
HTTP/1.1 200 OK
Connection: keep-alive
Access-Control-Allow-Origin: *
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
CF-RAY: 531e74e8684c4356-MXP
Content-Length: 289
Cache-Control: max-age=147
Content-Type: application/dns-json
Date: Thu, 07 Nov 2019 09:59:49 GMT
Server: cloudflare
{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": true,"CD": false,"Question":[{"name": "Cloudflare.com.", "type": 1}],"Answer":[{"name": "cloudflare.com.", "type": 1, "TTL": 147, "data": "198.41.214.162"},{"name": "cloudflare.com.", "type": 1, "TTL": 147, "data": "198.41.215.162"}]}
I’m using chrome with --enable-features="dns-over-https<DoHTrial" --force-fieldtrials="DoHTrial/Group1" --force-fieldtrial-params="DoHTrial.Group1:server/https%3A%2F%2F1.1.1.1%2Fdns-query/method/POST
parameters, but I’ve also tried with Firefox.
Are they blocking 443
traffic to the dns resolver? Then why the test with OpenSSL doesn’t fail?
I’d like to figure out what’s happening
thank you!