More queries made by Cloudflare than Google DNS?

milk · May 30, 2022, 3:39pm

I’m testing out the new https://dnscheck.tools/ website to find out which DNS servers are making queries on your behalf. I’m using DoH in Chrome to get the most pure results (Settings → Privacy and security → Security → Use secure DNS → With: Customised) as I noticed my local dnsmasq was making duplicate queries.

When using Google’s https://8.8.8.8/dns-query as resolver I noticed that the test will always end with dns requests received: 22. When using Cloudflare’s https://1.1.1.1/dns-query this will be either 39 or 40 requests. This is using dual stack IPv4 and IPv6. With IPv4 only I get 11 requests from Google and 20 from Cloudflare. This is from AMS location. I noticed exactly the same behaviour from ZAG, MRS, FRA and HKG.

Would it be possible to investigate why these (possibly redundant) extra queries are made?
(@mvavrusa)

I also noticed that some IP ranges have different names (Cloudflare-EU and CLOUDFLARENET-EU). The BGP netname confirms this: 141.101.64.0/24 and 141.101.75.0/24. Would it be possible to join these together under one name? Possibly by Cloudflare’s NOC. Or is there a reason these are different?

CLOUDFLARE-EU (8 requests from 2 resolvers)
141.101.75.117	(ptr darl.ns.cloudflare.com)	(Amsterdam, North Holland, NL)
141.101.75.116	(ptr darl.ns.cloudflare.com)	(Amsterdam, North Holland, NL)

CLOUDFLARENET-EU (14 requests from 3 resolvers)
141.101.64.77	(ptr darl.ns.cloudflare.com)	(Amsterdam, North Holland, NL)
141.101.64.80	(ptr darl.ns.cloudflare.com)	(Amsterdam, North Holland, NL)
141.101.64.81	(ptr darl.ns.cloudflare.com)	(Amsterdam, North Holland, NL)

Cloudflare (18 requests from 4 resolvers)
2400:cb00:20:1024::8d65:4050	(ptr chloe.ns.cloudflare.com)	(Amsterdam, North Holland, NL)
2400:cb00:20:1024::8d65:4051	(ptr chloe.ns.cloudflare.com)	(Amsterdam, North Holland, NL)
2400:cb00:20:1024::8d65:4b74	(ptr chloe.ns.cloudflare.com)	(Amsterdam, North Holland, NL)
2400:cb00:20:1024::8d65:4b75	(ptr chloe.ns.cloudflare.com)	(Amsterdam, North Holland, NL)

wouter · May 30, 2022, 5:19pm

A very cool tool!

I tried using their /watch/[random-id] endpoint, and then doing a single DoH request (via curl), and it showed just a single query. Doing another one shows another.

If I watch the developer tools on the link you provided it just keeps trying different URLs and the numbers just keep going up. Don’t know why, you’d have to ask them

milk · May 31, 2022, 8:04am

Using the /watch/ and “click here to generate some requests” I found some interesting results. Cloudflare seems to use 2 different servers for IPv4 and 3 different IPv6 servers to do exactly the same queries, instead of one for every protocol like Google does. This should result in 2.5x the amount of queries, which follows from the results as well: Google does 12 queries and Cloudflare does 30 (12*2.5). It also seems that Cloudflare uses TCP for one third of IPv6 requests. I do not understand why.

Google DNS:

{"time":1653983252,"proto":"udp","remoteIp":"2a00:1450:4013:c06::102","remotePort":"61691","msgText":";; opcode: QUERY, status: NOERROR, id: 53058\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:[2a00:1450:4013:c06::102]:61691\n;; WHEN: Tue May 31 07:47:32 UTC 2022"}
{"time":1653983252,"proto":"udp","remoteIp":"2a00:1450:4013:c00::108","remotePort":"56246","msgText":";; opcode: QUERY, status: NOERROR, id: 53068\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:[2a00:1450:4013:c00::108]:56246\n;; WHEN: Tue May 31 07:47:32 UTC 2022"}
{"time":1653983253,"proto":"udp","remoteIp":"173.194.169.10","remotePort":"53983","msgText":";; opcode: QUERY, status: NOERROR, id: 23147\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n; SUBNET: 89.98.123.0/24/0\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:173.194.169.10:53983\n;; WHEN: Tue May 31 07:47:33 UTC 2022"}
{"time":1653983253,"proto":"udp","remoteIp":"172.253.11.204","remotePort":"36892","msgText":";; opcode: QUERY, status: NOERROR, id: 40004\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n; SUBNET: 89.98.123.0/24/0\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:172.253.11.204:36892\n;; WHEN: Tue May 31 07:47:33 UTC 2022"}
{"time":1653983254,"proto":"udp","remoteIp":"2a00:1450:4013:c14::106","remotePort":"36800","msgText":";; opcode: QUERY, status: NOERROR, id: 11727\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:[2a00:1450:4013:c14::106]:36800\n;; WHEN: Tue May 31 07:47:34 UTC 2022"}
{"time":1653983254,"proto":"udp","remoteIp":"2a00:1450:4013:c08::104","remotePort":"52215","msgText":";; opcode: QUERY, status: NOERROR, id: 8734\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n; SUBNET: 89.98.123.0/24/0\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:[2a00:1450:4013:c08::104]:52215\n;; WHEN: Tue May 31 07:47:34 UTC 2022"}
{"time":1653983255,"proto":"udp","remoteIp":"173.194.170.12","remotePort":"58382","msgText":";; opcode: QUERY, status: NOERROR, id: 47641\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:173.194.170.12:58382\n;; WHEN: Tue May 31 07:47:35 UTC 2022"}
{"time":1653983255,"proto":"udp","remoteIp":"173.194.169.9","remotePort":"36325","msgText":";; opcode: QUERY, status: NOERROR, id: 10740\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:173.194.169.9:36325\n;; WHEN: Tue May 31 07:47:35 UTC 2022"}
{"time":1653983256,"proto":"udp","remoteIp":"2a00:1450:4013:c1a::108","remotePort":"55134","msgText":";; opcode: QUERY, status: NOERROR, id: 6996\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n; SUBNET: 89.98.123.0/24/0\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:[2a00:1450:4013:c1a::108]:55134\n;; WHEN: Tue May 31 07:47:36 UTC 2022"}
{"time":1653983256,"proto":"udp","remoteIp":"2a00:1450:4013:c05::106","remotePort":"46681","msgText":";; opcode: QUERY, status: NOERROR, id: 41138\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:[2a00:1450:4013:c05::106]:46681\n;; WHEN: Tue May 31 07:47:36 UTC 2022"}
{"time":1653983257,"proto":"udp","remoteIp":"172.253.11.195","remotePort":"38779","msgText":";; opcode: QUERY, status: NOERROR, id: 53969\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n; SUBNET: 89.98.123.0/24/0\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:172.253.11.195:38779\n;; WHEN: Tue May 31 07:47:37 UTC 2022"}
{"time":1653983257,"proto":"udp","remoteIp":"172.253.7.201","remotePort":"50290","msgText":";; opcode: QUERY, status: NOERROR, id: 26498\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n; SUBNET: 89.98.123.0/24/0\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:172.253.7.201:50290\n;; WHEN: Tue May 31 07:47:37 UTC 2022"}

Cloudflare DNS:

{"time":1653983389,"proto":"udp","remoteIp":"141.101.64.81","remotePort":"38131","msgText":";; opcode: QUERY, status: NOERROR, id: 22323\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:141.101.64.81:38131\n;; WHEN: Tue May 31 07:49:49 UTC 2022"}
{"time":1653983389,"proto":"udp","remoteIp":"141.101.64.80","remotePort":"13653","msgText":";; opcode: QUERY, status: NOERROR, id: 28742\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:141.101.64.80:13653\n;; WHEN: Tue May 31 07:49:49 UTC 2022"}
{"time":1653983389,"proto":"udp","remoteIp":"141.101.64.81","remotePort":"38131","msgText":";; opcode: QUERY, status: NOERROR, id: 22323\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:141.101.64.81:38131\n;; WHEN: Tue May 31 07:49:49 UTC 2022"}
{"time":1653983389,"proto":"udp","remoteIp":"141.101.64.80","remotePort":"13653","msgText":";; opcode: QUERY, status: NOERROR, id: 28742\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:141.101.64.80:13653\n;; WHEN: Tue May 31 07:49:49 UTC 2022"}
{"time":1653983389,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:4051","remotePort":"26058","msgText":";; opcode: QUERY, status: NOERROR, id: 22323\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:4051]:26058\n;; WHEN: Tue May 31 07:49:49 UTC 2022"}
{"time":1653983389,"proto":"tcp","remoteIp":"2400:cb00:20:1024::8d65:4051","remotePort":"16366","msgText":";; opcode: QUERY, status: NOERROR, id: 22323\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: tcp:[2400:cb00:20:1024::8d65:4051]:16366\n;; WHEN: Tue May 31 07:49:49 UTC 2022"}
{"time":1653983389,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:4050","remotePort":"42651","msgText":";; opcode: QUERY, status: NOERROR, id: 28742\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:4050]:42651\n;; WHEN: Tue May 31 07:49:49 UTC 2022"}
{"time":1653983390,"proto":"tcp","remoteIp":"2400:cb00:20:1024::8d65:4050","remotePort":"64756","msgText":";; opcode: QUERY, status: NOERROR, id: 28742\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: tcp:[2400:cb00:20:1024::8d65:4050]:64756\n;; WHEN: Tue May 31 07:49:50 UTC 2022"}
{"time":1653983390,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:4051","remotePort":"26058","msgText":";; opcode: QUERY, status: NOERROR, id: 22323\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:4051]:26058\n;; WHEN: Tue May 31 07:49:50 UTC 2022"}
{"time":1653983390,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:4050","remotePort":"42651","msgText":";; opcode: QUERY, status: NOERROR, id: 28742\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb3-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:4050]:42651\n;; WHEN: Tue May 31 07:49:50 UTC 2022"}
{"time":1653983391,"proto":"udp","remoteIp":"141.101.64.77","remotePort":"43579","msgText":";; opcode: QUERY, status: NOERROR, id: 39447\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:141.101.64.77:43579\n;; WHEN: Tue May 31 07:49:51 UTC 2022"}
{"time":1653983391,"proto":"udp","remoteIp":"141.101.75.117","remotePort":"64485","msgText":";; opcode: QUERY, status: NOERROR, id: 43733\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:141.101.75.117:64485\n;; WHEN: Tue May 31 07:49:51 UTC 2022"}
{"time":1653983391,"proto":"udp","remoteIp":"141.101.64.77","remotePort":"43579","msgText":";; opcode: QUERY, status: NOERROR, id: 39447\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:141.101.64.77:43579\n;; WHEN: Tue May 31 07:49:51 UTC 2022"}
{"time":1653983391,"proto":"udp","remoteIp":"141.101.75.117","remotePort":"64485","msgText":";; opcode: QUERY, status: NOERROR, id: 43733\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:141.101.75.117:64485\n;; WHEN: Tue May 31 07:49:51 UTC 2022"}
{"time":1653983391,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:404d","remotePort":"34892","msgText":";; opcode: QUERY, status: NOERROR, id: 39447\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:404d]:34892\n;; WHEN: Tue May 31 07:49:51 UTC 2022"}
{"time":1653983391,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:4b75","remotePort":"24362","msgText":";; opcode: QUERY, status: NOERROR, id: 43733\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:4b75]:24362\n;; WHEN: Tue May 31 07:49:51 UTC 2022"}
{"time":1653983391,"proto":"tcp","remoteIp":"2400:cb00:20:1024::8d65:404d","remotePort":"26452","msgText":";; opcode: QUERY, status: NOERROR, id: 39447\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: tcp:[2400:cb00:20:1024::8d65:404d]:26452\n;; WHEN: Tue May 31 07:49:51 UTC 2022"}
{"time":1653983391,"proto":"tcp","remoteIp":"2400:cb00:20:1024::8d65:4b75","remotePort":"39858","msgText":";; opcode: QUERY, status: NOERROR, id: 43733\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: tcp:[2400:cb00:20:1024::8d65:4b75]:39858\n;; WHEN: Tue May 31 07:49:51 UTC 2022"}
{"time":1653983392,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:404d","remotePort":"34892","msgText":";; opcode: QUERY, status: NOERROR, id: 39447\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:404d]:34892\n;; WHEN: Tue May 31 07:49:52 UTC 2022"}
{"time":1653983392,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:4b75","remotePort":"24362","msgText":";; opcode: QUERY, status: NOERROR, id: 43733\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb2-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:4b75]:24362\n;; WHEN: Tue May 31 07:49:52 UTC 2022"}
{"time":1653983393,"proto":"udp","remoteIp":"141.101.64.81","remotePort":"46221","msgText":";; opcode: QUERY, status: NOERROR, id: 53264\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:141.101.64.81:46221\n;; WHEN: Tue May 31 07:49:53 UTC 2022"}
{"time":1653983393,"proto":"udp","remoteIp":"141.101.64.77","remotePort":"16311","msgText":";; opcode: QUERY, status: NOERROR, id: 49385\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:141.101.64.77:16311\n;; WHEN: Tue May 31 07:49:53 UTC 2022"}
{"time":1653983393,"proto":"udp","remoteIp":"141.101.64.77","remotePort":"16311","msgText":";; opcode: QUERY, status: NOERROR, id: 49385\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:141.101.64.77:16311\n;; WHEN: Tue May 31 07:49:53 UTC 2022"}
{"time":1653983393,"proto":"udp","remoteIp":"141.101.64.81","remotePort":"46221","msgText":";; opcode: QUERY, status: NOERROR, id: 53264\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:141.101.64.81:46221\n;; WHEN: Tue May 31 07:49:53 UTC 2022"}
{"time":1653983394,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:404d","remotePort":"37532","msgText":";; opcode: QUERY, status: NOERROR, id: 49385\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:404d]:37532\n;; WHEN: Tue May 31 07:49:54 UTC 2022"}
{"time":1653983394,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:4051","remotePort":"43658","msgText":";; opcode: QUERY, status: NOERROR, id: 53264\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:4051]:43658\n;; WHEN: Tue May 31 07:49:54 UTC 2022"}
{"time":1653983394,"proto":"tcp","remoteIp":"2400:cb00:20:1024::8d65:4051","remotePort":"16426","msgText":";; opcode: QUERY, status: NOERROR, id: 53264\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: tcp:[2400:cb00:20:1024::8d65:4051]:16426\n;; WHEN: Tue May 31 07:49:54 UTC 2022"}
{"time":1653983394,"proto":"tcp","remoteIp":"2400:cb00:20:1024::8d65:404d","remotePort":"26476","msgText":";; opcode: QUERY, status: NOERROR, id: 49385\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: tcp:[2400:cb00:20:1024::8d65:404d]:26476\n;; WHEN: Tue May 31 07:49:54 UTC 2022"}
{"time":1653983394,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:404d","remotePort":"37532","msgText":";; opcode: QUERY, status: NOERROR, id: 49385\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t AAAA\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:404d]:37532\n;; WHEN: Tue May 31 07:49:54 UTC 2022"}
{"time":1653983394,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:4051","remotePort":"43658","msgText":";; opcode: QUERY, status: NOERROR, id: 53264\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-bbbbbb1-noreply.go.dnscheck.tools.\tIN\t A\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:4051]:43658\n;; WHEN: Tue May 31 07:49:54 UTC 2022"}

mvavrusa · May 31, 2022, 8:15pm

Is it counting delegation lookups etc. ? 1.1.1.1 won’t always exit from the same backend node in a colo if you send multiple queries, so you may see multiple lookups for infra records and keys etc.

If I dig the given domain, I don’t see it sending multiple outbound queries (when the delegation is cached). Also I don’t see any retransmits from AMS.

milk · June 1, 2022, 8:07am

It seems that when the server gives no response, Cloudflare retries the query. How to reproduce:

Open https://dnscheck.tools/watch/hahaha.

Try a noreply query:

dig watch-hahaha-noreply.go.dnscheck.tools txt @8.8.8.8
Results in 2 queries, one IPv4 and one IPv6:

{"time":1654070438,"proto":"udp","remoteIp":"2a00:1450:4013:c00::101","remotePort":"43586","msgText":";; opcode: QUERY, status: NOERROR, id: 37725\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n; SUBNET: 62.194.157.0/24/0\n\n;; QUESTION SECTION:\n;watch-hahaha-noreply.go.dnscheck.tools.\tIN\t TXT\n\n;; CLIENT: udp:[2a00:1450:4013:c00::101]:43586\n;; WHEN: Wed Jun  1 08:00:38 UTC 2022"}
{"time":1654070439,"proto":"udp","remoteIp":"173.194.170.13","remotePort":"62402","msgText":";; opcode: QUERY, status: NOERROR, id: 13308\n;; flags: cd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1400\n\n;; QUESTION SECTION:\n;watch-hahaha-noreply.go.dnscheck.tools.\tIN\t TXT\n\n;; CLIENT: udp:173.194.170.13:62402\n;; WHEN: Wed Jun  1 08:00:39 UTC 2022"}

dig watch-hahaha-noreply.go.dnscheck.tools txt @1.1.1.1
Results in 5 queries, two IPv4 and three IPv6, of which one is using TCP:

{"time":1654070502,"proto":"udp","remoteIp":"141.101.75.116","remotePort":"9916","msgText":";; opcode: QUERY, status: NOERROR, id: 56758\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-hahaha-noreply.go.dnscheck.tools.\tIN\t TXT\n\n;; CLIENT: udp:141.101.75.116:9916\n;; WHEN: Wed Jun  1 08:01:42 UTC 2022"}
{"time":1654070503,"proto":"udp","remoteIp":"141.101.75.116","remotePort":"9916","msgText":";; opcode: QUERY, status: NOERROR, id: 56758\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-hahaha-noreply.go.dnscheck.tools.\tIN\t TXT\n\n;; CLIENT: udp:141.101.75.116:9916\n;; WHEN: Wed Jun  1 08:01:43 UTC 2022"}
{"time":1654070503,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:4b74","remotePort":"23272","msgText":";; opcode: QUERY, status: NOERROR, id: 56758\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-hahaha-noreply.go.dnscheck.tools.\tIN\t TXT\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:4b74]:23272\n;; WHEN: Wed Jun  1 08:01:43 UTC 2022"}
{"time":1654070503,"proto":"tcp","remoteIp":"2400:cb00:20:1024::8d65:4b74","remotePort":"39434","msgText":";; opcode: QUERY, status: NOERROR, id: 56758\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-hahaha-noreply.go.dnscheck.tools.\tIN\t TXT\n\n;; CLIENT: tcp:[2400:cb00:20:1024::8d65:4b74]:39434\n;; WHEN: Wed Jun  1 08:01:43 UTC 2022"}
{"time":1654070504,"proto":"udp","remoteIp":"2400:cb00:20:1024::8d65:4b74","remotePort":"23272","msgText":";; opcode: QUERY, status: NOERROR, id: 56758\n;; flags:; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags: do; udp: 1452\n\n;; QUESTION SECTION:\n;watch-hahaha-noreply.go.dnscheck.tools.\tIN\t TXT\n\n;; CLIENT: udp:[2400:cb00:20:1024::8d65:4b74]:23272\n;; WHEN: Wed Jun  1 08:01:44 UTC 2022"}

This seems like some kind of retry fallback mechanism of when the nameserver is unresponsive. Interesting that only IPv6 uses TCP.

mvavrusa · June 1, 2022, 6:00pm

Yes, that’s roughly how it works. 1.1.1.1 implements retransmits, so you’ll see them when the response doesn’t come back in the expected RTT (based on previous observations). You’ll see TCP for IPv4 as well sometimes as a last resort, it just depends on the order of tried nameservers.

system · July 1, 2022, 6:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.