My authoritative NS is unresolvable through 1.1.1.1

Hello,

I have my own DNS server for a few domains and recently I discovered that I am unable to resolve these domains through 1.1.1.1.

As an example try dig @1.1.1.1 dancs.sk A. It does not work. Going straight using my NS 185.160.111.248 works absolutely fine, as well as from my secondary NS 144.91.83.46, and Google’s DNS has no problem with it either, at 8.8.8.8 or 8.8.4.4.

Is there any way of debugging the 1.1.1.1 resolver so I can understand why my DNS server is not picked up by Cloudflare and why it does not want to resolve my records? Maybe my IPs are blocked somewhere in the Cloudflare’s systems or it does not consider my DNS authoritative?

Thanks!

Welcome to the community!

I can perfectly resolve your domain using 1.1.1.1:

$ dig @1.1.1.1 dancs.sk A

; <<>> DiG 9.18.7-1-Debian <<>> @1.1.1.1 dancs.sk A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47163
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dancs.sk.			IN	A

;; ANSWER SECTION:
dancs.sk.		3600	IN	A	185.160.111.248

;; Query time: 787 msec
;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)
;; WHEN: Sun Sep 25 14:03:17 CEST 2022
;; MSG SIZE  rcvd: 53

I would suggest that you restart your device, or even your router (if you can). It happened to me something similar with a domain, and restarting the router fixed me the problem.

Hope it helps!

Instead of what you get I get this:

; <<>> DiG 9.10.6 <<>> @1.1.1.1 dancs.sk A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 8188
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 09 6e 6f 20 53 45 50 20 6d 61 74 63 68 69 6e 67 20 74 68 65 20 44 53 20 66 6f 75 6e 64 20 66 6f 72 20 64 61 6e 63 73 2e 73 6b 2e ("..no SEP matching the DS found for dancs.sk.")
; OPT=15: 00 16 74 69 6d 65 20 6c 69 6d 69 74 20 65 78 63 65 65 64 65 64 ("..time limit exceeded")
;; QUESTION SECTION:
;dancs.sk.			IN	A

;; Query time: 1603 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Sep 25 14:06:57 CEST 2022
;; MSG SIZE  rcvd: 110

Have you tried the suggestions above? Those should clear your DNS cache. Thanks.

Sorry, yes I have. Also tried multiple devices, from multiple internet connections (broadband in two countries, LTE). Also tried manually flushing DNS cache. I still cannot resolve the domains from 1.1.1.1.

Ok. Can you resolve other domains through 1.1.1.1? Can you resolve your domain through 162.159.36.1?

I can resolve anything else through 1.1.1.1 but my own domains. Through 162.159.36.1 I can resolve other domains but my own (essentially the same behavior as with 1.1.1.1).

I refreshed my DNS records for the main domain at my registrar and now I am able to at least resolve the IP for my main NS through 1.1.1.1:

dig @1.1.1.1 ns.moowdesign.eu

; <<>> DiG 9.10.6 <<>> @1.1.1.1 ns.moowdesign.eu
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32207
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns.moowdesign.eu.		IN	A

;; ANSWER SECTION:
ns.moowdesign.eu.	2469	IN	A	185.160.111.248

;; Query time: 35 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Sep 25 14:39:05 CEST 2022
;; MSG SIZE  rcvd: 61

Update: I have tried a newer version of dig and I get the Cloudflare EDE codes now, so more info:

; EDE: 9 (DNSKEY Missing): (no SEP matching the DS found for dancs.sk.)
; EDE: 22 (No Reachable Authority): (time limit exceeded)

and some other domains report this:

; EDE: 22 (No Reachable Authority)

Can you provide the debug URL output of this on the network you’re experiencing this?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.