[LA] Is Cloudfare extremely unstable to anyone else?


#1

I’ve been using cloudfare DNS for something like 3 months now, and my experience has been horrible. Specially during October/November, it was nearly impossible to use the internet, as the DNS would fail at least 50% of the time I was in front of a computer. It lasted for about 3 weeks, and I would have to keep constantly switching from Cloudfare to Google, and then back to see if I could connect again from Cloudfare, which is extremly annoying, as I’m on a Pihole setup.

Just now, I was unable to connect to any site for about 30 minutes, and It is incredible how common these issues are. I’m on Brazil, and they only assign a single (maybe 2) IP’s for DNS (when checking on something like ipleak.net), as opposed to plenty when connecting from a European country. I always try to check cloudflarestatus and it always show everything as operational, despite the fact that I can’t ping them.

Is there some root cause for these issues? Should I expect that it will be solved, or should I just give up on cloudfare as my DNS? Are these problems common for other people in Brazil/Latin America and around the world?

Quick screenshot taken just now as example: https://i.imgur.com/1dpdMAb.png


#2

Possibly an issue with your ISP.

  1. Check out Have problems with 1.1.1.1? *Read Me First*
  2. Post the URL https://cloudflare-dns.com/help gives you
  3. Post a traceroute from your machine to 1.1.1.1 and 1.0.0.1

#3

I’m currently connected/correctly resolving with cloudfare only.

traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.15.1)  0.376 ms  0.528 ms  0.695 ms
 2  179.184.120.131.static.adsl.gvt.net.br (179.184.120.131)  4.633 ms  4.658 ms  4.753 ms
 3  201.22.71.167.dynamic.adsl.gvt.net.br (201.22.71.167)  5.162 ms  5.212 ms  5.209 ms
 4  152-255-140-45.user.vivozap.com.br (152.255.140.45)  22.560 ms  22.490 ms 152-255-140-51.user.vivozap.com.br (152.255.140.51)  21.848 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.15.1)  0.363 ms  0.529 ms  0.665 ms
 2  179.184.120.131.static.adsl.gvt.net.br (179.184.120.131)  4.677 ms  4.718 ms  4.743 ms
 3  201.22.71.163.dynamic.adsl.gvt.net.br (201.22.71.163)  4.848 ms  5.179 ms  5.223 ms
 4  152-255-140-51.user.vivozap.com.br (152.255.140.51)  20.923 ms  20.983 ms  21.022 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

 cloudflared.service - cloudflared DNS over HTTPS proxy
   Loaded: loaded (/lib/systemd/system/cloudflared.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2018-11-29 21:45:46 -02; 3 days ago
 Main PID: 1027 (cloudflared)
    Tasks: 8 (limit: 2236)
   CGroup: /system.slice/cloudflared.service
           └─1027 /usr/local/bin/cloudflared proxy-dns --port 5053 --upstream https://1.0.0.1/.well-known/dns-query --upstream https://2606:4700:4700::1111/dns-query --upstream h$

dez 03 07:13:56 UbuServ cloudflared[1027]: time="2018-12-03T07:13:56-02:00" level=error msg="failed to connect to an HTTPS backend \"https://2606:4700:4700::1001/dns-query\"" err$
dez 03 07:13:56 UbuServ cloudflared[1027]: time="2018-12-03T07:13:56-02:00" level=error msg="failed to connect to an HTTPS backend \"https://1.0.0.1/.well-known/dns-query\"" erro$
dez 03 07:13:56 UbuServ cloudflared[1027]: time="2018-12-03T07:13:56-02:00" level=error msg="failed to connect to an HTTPS backend \"https://2606:4700:4700::1111/dns-query\"" err$
dez 03 07:13:56 UbuServ cloudflared[1027]: time="2018-12-03T07:13:56-02:00" level=error msg="failed to connect to an HTTPS backend \"https://2606:4700:4700::1001/dns-query\"" err$
dez 03 07:13:56 UbuServ cloudflared[1027]: time="2018-12-03T07:13:56-02:00" level=error msg="failed to connect to an HTTPS backend \"https://1.0.0.1/.well-known/dns-query\"" erro$
dez 03 07:13:56 UbuServ cloudflared[1027]: time="2018-12-03T07:13:56-02:00" level=error msg="failed to connect to an HTTPS backend \"https://2606:4700:4700::1111/dns-query\"" err$
dez 03 07:13:56 UbuServ cloudflared[1027]: time="2018-12-03T07:13:56-02:00" level=error msg="failed to connect to an HTTPS backend \"https://2606:4700:4700::1001/dns-query\"" err$
dez 03 07:13:56 UbuServ cloudflared[1027]: time="2018-12-03T07:13:56-02:00" level=error msg="failed to connect to an HTTPS backend \"https://1.0.0.1/.well-known/dns-query\"" erro$
dez 03 07:13:56 UbuServ cloudflared[1027]: time="2018-12-03T07:13:56-02:00" level=error msg="failed to connect to an HTTPS backend \"https://2606:4700:4700::1111/dns-query\"" err$
dez 03 07:13:56 UbuServ cloudflared[1027]: time="2018-12-03T07:13:56-02:00" level=error msg="failed to connect to an HTTPS backend \"https://2606:4700:4700::1001/dns-query\"" err$

#4

Can you also post a traceroute to cloudflare.com?


#5
traceroute cloudfare.com
traceroute to cloudfare.com (103.224.182.242), 30 hops max, 60 byte packets
 1  _gateway (192.168.15.1)  0.417 ms  0.577 ms  0.699 ms
 2  179.184.120.131.static.adsl.gvt.net.br (179.184.120.131)  4.708 ms  4.847 ms  5.134 ms
 3  201.22.71.171.dynamic.adsl.gvt.net.br (201.22.71.171)  4.904 ms  5.000 ms  5.059 ms
 4  152-255-131-74.user.vivozap.com.br (152.255.131.74)  4.748 ms 152-255-131-68.user.vivozap.com.br (152.255.131.68)  9.055 ms  9.112 ms
 5  152-255-140-51.user.vivozap.com.br (152.255.140.51)  20.218 ms 152-255-140-45.user.vivozap.com.br (152.255.140.45)  25.203 ms 152-255-140-51.user.vivozap.com.br (152.255.140.51)  20.281 ms
 6  xe-7-0-17-4-grtsanem4.priv.net.telefonicaglobalsolutions.com (216.184.112.100)  26.949 ms  24.638 ms  30.921 ms
 7  94.142.98.177 (94.142.98.177)  127.300 ms 176.52.255.65 (176.52.255.65)  130.058 ms 5.53.5.99 (5.53.5.99)  129.797 ms
 8  84.16.14.189 (84.16.14.189)  132.481 ms 84.16.15.129 (84.16.15.129)  127.025 ms  127.021 ms
 9  84.16.14.189 (84.16.14.189)  129.543 ms  131.702 ms  131.979 ms
10  be3017.ccr21.mia03.atlas.cogentco.com (154.54.11.157)  130.978 ms  129.072 ms  129.051 ms
11  be3569.ccr41.iah01.atlas.cogentco.com (154.54.82.241)  163.355 ms  163.190 ms be3400.ccr21.mia01.atlas.cogentco.com (154.54.47.17)  129.530 ms
12  be2928.ccr21.elp01.atlas.cogentco.com (154.54.30.162)  176.765 ms be3569.ccr41.iah01.atlas.cogentco.com (154.54.82.241)  158.455 ms be3570.ccr42.iah01.atlas.cogentco.com (154.54.84.1)  157.986 ms
13  be2928.ccr21.elp01.atlas.cogentco.com (154.54.30.162)  174.027 ms be2929.ccr31.phx01.atlas.cogentco.com (154.54.42.65)  185.372 ms be2927.ccr21.elp01.atlas.cogentco.com (154.54.29.222)  174.642 ms
14  be2940.rcr51.san01.atlas.cogentco.com (154.54.6.121)  197.959 ms be2930.ccr32.phx01.atlas.cogentco.com (154.54.42.77)  183.038 ms be2940.rcr51.san01.atlas.cogentco.com (154.54.6.121)  197.809 ms
15  be2941.rcr52.san01.atlas.cogentco.com (154.54.41.33)  194.585 ms  194.588 ms te0-0-2-0.nr11.b022887-0.san01.atlas.cogentco.com (154.24.7.226)  192.501 ms
16  38.140.111.58 (38.140.111.58)  195.338 ms te0-0-2-0.nr11.b022887-0.san01.atlas.cogentco.com (154.24.7.226)  191.766 ms  192.027 ms
17  sw03-san.trellian.com (103.224.213.253)  198.081 ms 38.140.111.58 (38.140.111.58)  193.853 ms sw03-san.trellian.com (103.224.213.253)  197.313 ms
18  sw03-san.trellian.com (103.224.213.253)  194.031 ms * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

traceroute google.com
traceroute to google.com (172.217.29.142), 30 hops max, 60 byte packets
 1  _gateway (192.168.15.1)  0.467 ms  0.628 ms  0.769 ms
 2  179.184.120.131.static.adsl.gvt.net.br (179.184.120.131)  5.158 ms  5.207 ms  5.318 ms
 3  201.22.71.173.dynamic.adsl.gvt.net.br (201.22.71.173)  5.401 ms  5.618 ms  5.672 ms
 4  152-255-140-69.user.vivozap.com.br (152.255.140.69)  24.059 ms  24.111 ms 152-255-140-27.user.vivozap.com.br (152.255.140.27)  26.529 ms
 5  72.14.198.181 (72.14.198.181)  22.760 ms  22.692 ms  22.798 ms
 6  74.125.243.3 (74.125.243.3)  26.421 ms 108.170.245.131 (108.170.245.131)  15.567 ms 74.125.243.3 (74.125.243.3)  20.058 ms
 7  108.170.245.225 (108.170.245.225)  22.343 ms  22.452 ms 108.170.245.193 (108.170.245.193)  22.638 ms
 8  209.85.240.241 (209.85.240.241)  17.942 ms  17.999 ms 209.85.240.243 (209.85.240.243)  22.656 ms
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

traceroute6 google.com
traceroute to  (2800:3f0:4001:808::200e) from 2804:7f3:68d:7b4b:d75c:d3e:1476:c82e, 30 hops max, 24 byte packets
 1  ssl.google-analytics.com (2804:7f3:68d:7b4b:1272:23ff:fe18:db75)  0,472 ms  0,508 ms  0,379 ms
 2  ssl.google-analytics.com (2804:7f4:2000:1::14e)  1,483 ms  0,883 ms  2,299 ms
 3  2804:7f4:2000:1000::633 (2804:7f4:2000:1000::633)  2,909 ms  3,334 ms  2,38 ms
 4  * 2001:12e0:100:5012:a090:5012:a009:4 (2001:12e0:100:5012:a090:5012:a009:4)  2,166 ms *
 5  * 2001:12e0:100:1043:a090:5012:a090:10 (2001:12e0:100:1043:a090:5012:a090:10)  16,672 ms *
 6  * * *
 7  2001:4860:1:1:0:49c1:0:22 (2001:4860:1:1:0:49c1:0:22)  15,698 ms  14,712 ms  14,661 ms
 8  2800:3f0:8000:59::1:1 (2800:3f0:8000:59::1:1)  19,728 ms  20,822 ms  19,545 ms
 9  2001:4860:0:1::1eb8 (2001:4860:0:1::1eb8)  15,288 ms  14,532 ms  14,528 ms
10  2001:4860:0:1094::2 (2001:4860:0:1094::2)  19,711 ms  19,232 ms  19,666 ms
11  2001:4860:0:1097::1 (2001:4860:0:1097::1)  20,112 ms  19,947 ms  19,614 ms
12  2001:4860:0:1::7e7 (2001:4860:0:1::7e7)  14,941 ms  16,453 ms  14,819 ms
13  2800:3f0:4001:808::200e (2800:3f0:4001:808::200e)  14,432 ms  15,646 ms  14,718 ms

dig @127.0.0.1 cloudfare.com

; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> @127.0.0.1 cloudfare.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6555
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cloudfare.com.			IN	A

;; ANSWER SECTION:
cloudfare.com.		3359	IN	A	103.224.182.242

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 03 07:27:55 -02 2018
;; MSG SIZE  rcvd: 58


#6

It would appear as if requests to Cloudflare’s DNS servers are dropped somewhere in the 152.255 vivozap.com.br network.

Thats something your ISP would need to sort out I am afraid.


#7

Thanks. So I’m having to rely solely on the ipv6 DNS address, and when that fails I fail to resolve hostnames?


#8

Can you resolve hostnames when you connect to Cloudflare’s DNS using IPv6?


#9

I’m using both of these:

And currently, the DNS I get from ipleak is only 172.68.19.118, which is cloudfare’s server in Sao Paulo.

Right now internet is working perfectly, as far as I can notice.


#10

Alright, so yes, it seems as if your ISP “only” hijacks their IPv4 addresses.

Similar issue at Routing issues with Telefonica Brasil (Vivo)


#11

I knew they hijacked 1.1.1.1 back to the router settings page, that’s why I went with 1.0.0.1. Curiously, I’m currently successfully landing on cloudfare’s page when I go to 1.1.1.1 on Firefox, which didn’t happen back when I set up the DNS.


#12

If you can open the site you should be able to contact the DNS server too, however in that case the traceroute shouldnt stop either.


#13

Yeah, successfully landing on the cloudfare page with both 1.1.1.1 and 1.0.0.1 on both firefox and chrome, tested both on desktop and mobile. But the traceroute to both still stops at

4 152-255-140-45.user.vivozap.com.br (152.255.140.45) 26.171 ms 152-255-140-51.user.vivozap.com.br (152.255.140.51) 25.104 ms 152-255-140-45.user.vivozap.com.br (152.255.140.45) 26.508 ms

I’ll try contacting them, maybe I’ll have some luck. Thanks.


#14

Hmm, thats weird, as an IP hijack should affect everything and the site shouldnt load either. That way it seems as if HTTP requests actually reach Cloudflare but ICMP and DNS requests do not and that would seem strange, particularly considering that it is not plain UDP DNS but DNS-over-HTTPS (same as the web page you said you can open).