Optimum Online & The Cloudflare Resolver


#1

I’ve had to move back to the Google Resolver for my DNS queries. While that’s not the worst thing in the world, I do like that I have options. Options are good, you providing this service is good. I want to help with that in any way I can. So here are all of the DNS queries that you asked us to run in this thread here.

As you can see, some times your resolver just straight up fails. This was hard to diagnose when I put it on my router side, as all clients had the problem so it just looked like the server was down that I was trying to connect to. I discovered the problem when I went somewhere else and the connection there was always perfect. After a while I tracked it down to the 1.1.1.1 and 1.0.0.1 resolver.

$ dig example.com @1.1.1.1

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> example.com @1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached

$ dig example.com @1.0.0.1

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> example.com @1.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51163
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		10785	IN	A	93.184.216.34

;; Query time: 9 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Thu Sep 13 00:50:41 EDT 2018
;; MSG SIZE  rcvd: 56

$ dig example.com @8.8.8.8

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> example.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44891
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;example.com.			IN	A

;; ANSWER SECTION:
example.com.		4461	IN	A	93.184.216.34

;; Query time: 27 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep 13 00:50:41 EDT 2018
;; MSG SIZE  rcvd: 56

$ dig +short CHAOS TXT id.server @1.1.1.1
;; connection timed out; no servers could be reached

$ dig +short CHAOS TXT id.server @1.0.0.1
"EWR"

$ dig @ns3.cloudflare.com whoami.cloudflare.com txt +short
"173.2.52.167"

$ traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  _gateway (192.168.1.1)  0.691 ms  0.677 ms  0.694 ms
 2  10.240.172.5 (10.240.172.5)  16.114 ms  20.606 ms  21.527 ms
 3  67.59.229.170 (67.59.229.170)  21.685 ms  21.718 ms  21.758 ms
 4  167.206.32.124 (167.206.32.124)  22.828 ms 167.206.32.120 (167.206.32.120)  22.720 ms 167.206.32.124 (167.206.32.124)  22.755 ms
 5  64.15.4.108 (64.15.4.108)  23.568 ms 451be0fa.cst.lightpath.net (65.19.99.250)  22.530 ms 451be062.cst.lightpath.net (65.19.99.98)  23.461 ms
 6  64.15.1.94 (64.15.1.94)  24.446 ms 451be0e6.cst.lightpath.net (65.19.120.230)  13.322 ms 64.15.1.94 (64.15.1.94)  12.440 ms
 7  nyiix.as13335.net (198.32.160.195)  17.979 ms  11.759 ms  16.098 ms
 8  one.one.one.one (1.1.1.1)  15.569 ms  14.589 ms  16.466 ms

$ traceroute 1.0.0.1
traceroute to 1.0.0.1 (1.0.0.1), 30 hops max, 60 byte packets
 1  openrg.home (192.168.1.1)  1.011 ms  1.010 ms  1.003 ms
 2  10.240.172.5 (10.240.172.5)  11.112 ms  11.165 ms  10.111 ms
 3  67.59.229.168 (67.59.229.168)  11.312 ms  11.771 ms  11.763 ms
 4  167.206.32.126 (167.206.32.126)  17.329 ms  17.805 ms 167.206.32.122 (167.206.32.122)  18.138 ms
 5  451be060.cst.lightpath.net (65.19.99.96)  18.130 ms 64.15.4.106 (64.15.4.106)  17.847 ms  18.061 ms
 6  64.15.0.84 (64.15.0.84)  18.198 ms 64.15.1.94 (64.15.1.94)  13.442 ms rtr102-hu0-4-0-1.in.nycmnyzr.cv.net (64.15.0.74)  12.477 ms
 7  nyiix.as13335.net (198.32.160.195)  14.718 ms  11.783 ms  15.594 ms
 8  one.one.one.one (1.0.0.1)  10.873 ms  15.253 ms  17.249 ms

$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  myrouter.optimum.net.home (192.168.1.1)  0.570 ms  0.556 ms  0.549 ms
 2  10.240.172.5 (10.240.172.5)  9.857 ms  10.832 ms  10.924 ms
 3  67.59.229.168 (67.59.229.168)  10.963 ms  14.352 ms  15.470 ms
 4  167.206.32.122 (167.206.32.122)  18.445 ms  17.181 ms 167.206.32.126 (167.206.32.126)  16.331 ms
 5  451be068.cst.lightpath.net (65.19.99.104)  16.562 ms 451be062.cst.lightpath.net (65.19.99.98)  15.421 ms 451be060.cst.lightpath.net (65.19.99.96)  16.592 ms
 6  64.15.1.88 (64.15.1.88)  16.581 ms 64.15.5.82 (64.15.5.82)  18.479 ms 64.15.3.182 (64.15.3.182)  15.343 ms
 7  72.14.215.203 (72.14.215.203)  15.913 ms  11.557 ms  12.022 ms
 8  * * 108.170.248.97 (108.170.248.97)  13.059 ms
 9  216.239.42.164 (216.239.42.164)  14.104 ms 108.170.237.206 (108.170.237.206)  16.349 ms 209.85.253.188 (209.85.253.188)  17.595 ms
10  108.170.238.201 (108.170.238.201)  18.272 ms 72.14.238.91 (72.14.238.91)  19.006 ms 209.85.243.19 (209.85.243.19)  18.319 ms
11  google-public-dns-a.google.com (8.8.8.8)  18.028 ms  17.590 ms  18.174 ms

$ traceroute 8.8.4.4
traceroute to 8.8.4.4 (8.8.4.4), 30 hops max, 60 byte packets
 1  myrouter.optimum.net.home (192.168.1.1)  0.758 ms  0.743 ms  0.734 ms
 2  10.240.172.5 (10.240.172.5)  8.346 ms  13.596 ms  14.387 ms
 3  67.59.229.168 (67.59.229.168)  14.489 ms  14.526 ms  14.591 ms
 4  167.206.32.126 (167.206.32.126)  14.629 ms  15.459 ms 167.206.32.122 (167.206.32.122)  15.499 ms
 5  64.15.4.82 (64.15.4.82)  15.248 ms 451be06a.cst.lightpath.net (65.19.99.106)  15.477 ms 451be060.cst.lightpath.net (65.19.99.96)  15.516 ms
 6  64.15.4.230 (64.15.4.230)  16.364 ms 451be0c2.cst.lightpath.net (65.19.120.194)  14.596 ms 64.15.0.76 (64.15.0.76)  14.722 ms
 7  * * 74.125.48.24 (74.125.48.24)  10.972 ms
 8  * * *
 9  209.85.243.193 (209.85.243.193)  12.101 ms 108.170.227.208 (108.170.227.208)  18.489 ms 209.85.253.188 (209.85.253.188)  15.808 ms
10  209.85.241.53 (209.85.241.53)  17.266 ms 216.239.47.125 (216.239.47.125)  17.198 ms 209.85.246.195 (209.85.246.195)  17.284 ms
11  google-public-dns-b.google.com (8.8.4.4)  17.269 ms  16.837 ms  16.832 ms


$ dig +tcp @1.1.1.1 id.server CH TXT

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> +tcp @1.1.1.1 id.server CH TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39656
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;id.server.			CH	TXT

;; ANSWER SECTION:
id.server.		0	CH	TXT	"EWR"

;; Query time: 25 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Sep 13 00:54:03 EDT 2018
;; MSG SIZE  rcvd: 54


$ dig +tcp @1.0.0.1 id.server CH TXT

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> +tcp @1.0.0.1 id.server CH TXT
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 986
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;id.server.			CH	TXT

;; ANSWER SECTION:
id.server.		0	CH	TXT	"EWR"

;; Query time: 12 msec
;; SERVER: 1.0.0.1#53(1.0.0.1)
;; WHEN: Thu Sep 13 00:54:09 EDT 2018
;; MSG SIZE  rcvd: 54

$ openssl s_client -connect 1.1.1.1:853
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = *.cloudflare-dns.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=San Francisco/O=Cloudflare, Inc./CN=*.cloudflare-dns.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID9DCCA3qgAwIBAgIQBWzetBRl/ycHFsBukRYuGTAKBggqhkjOPQQDAjBMMQsw
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xODAzMzAwMDAwMDBaFw0yMDAz
MjUxMjAwMDBaMGwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
U2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEdMBsGA1UE
AwwUKi5jbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AASyRQsxrFBjziHmfDQjGsXBU0WWl3oxh7vg6h2V9f8lBMp18PY/td9R6VvJPa20
AwVzIJI+dL6OSxviaIZEbmK7o4ICHDCCAhgwHwYDVR0jBBgwFoAUo53mH/naOU/A
buiRy5Wl2jHiCp8wHQYDVR0OBBYEFN+XTeVDs7BBp0LykM+Jf64SV4ThMGMGA1Ud
EQRcMFqCFCouY2xvdWRmbGFyZS1kbnMuY29thwQBAQEBhwQBAAABghJjbG91ZGZs
YXJlLWRucy5jb22HECYGRwBHAAAAAAAAAAAAERGHECYGRwBHAAAAAAAAAAAAEAEw
DgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBp
BgNVHR8EYjBgMC6gLKAqhihodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1l
Y2MtZzEuY3JsMC6gLKAqhihodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc3NjYS1l
Y2MtZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEW
HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHsGCCsGAQUF
BwEBBG8wbTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUG
CCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRF
Q0NTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADAKBggqhkjOPQQDAgNo
ADBlAjEAjoyy2Ogh1i1/Kh9+psMc1OChlQIvQF6AkojZS8yliar6m8q5nqC3qe0h
HR0fExwLAjAueWRnHX4QJ9loqMhsPk3NB0Cs0mStsNDNG6/DpCYw7XmjoG3y1LS7
ZkZZmqNn2Q8=
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Francisco/O=Cloudflare, Inc./CN=*.cloudflare-dns.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2631 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 58340CAD6A4B553AC4B244B862511735928CD1515D3D16B6586A2EFF0CD54006
    Session-ID-ctx: 
    Master-Key: 89512A35F8B2DBD5C4D1C89E1531911332BECC46BB2607CB396EC5522BD550417E20E177C93BB33288AB8C5FEABF61EB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 21600 (seconds)
    TLS session ticket:
    0000 - 7f 37 a2 e8 66 dc cc 20-2e 5a 05 e0 69 45 d0 39   .7..f.. .Z..iE.9
    0010 - 5c af 92 7d d2 6a 21 ce-5b 06 6e b9 15 81 94 19   \..}.j!.[.n.....
    0020 - 01 30 4e d9 12 4c 61 7c-bf 2e 63 5b 79 2c 3f 34   .0N..La|..c[y,?4
    0030 - 45 71 ea 32 47 ef d0 84-10 3e d2 a1 85 49 b4 ce   Eq.2G....>...I..
    0040 - a6 51 fb d7 80 d5 3b 18-8e 70 0c b1 42 42 c5 0c   .Q....;..p..BB..
    0050 - 3d e7 73 c1 16 3d 75 46-66 25 b4 53 7d 05 60 c8   =.s..=uFf%.S}.`.
    0060 - b2 82 c6 6d 71 a8 44 39-4c 5a d5 28 0e 26 63 1f   ...mq.D9LZ.(.&c.
    0070 - 7a 25 86 af ab cc ec 88-6d 8c ad e4 6a b4 08 10   z%......m...j...
    0080 - c8 d5 3c 49 b1 74 5c 44-5c 1d ed 89 3d 22 04 83   ..<I.t\D\...="..
    0090 - 6c d0 69 02 c5 e2 cf 20-96 17 59 8a 1b 92 68 8b   l.i.... ..Y...h.
    00a0 - 97 11 a1 b1 57 12 18 c8-2c dc 70 bf 2f 3e 0f 2e   ....W...,.p./>..
    00b0 - 99 8e c8 81 4b 76 c3 05-ba 94 e4 85 a3 24 ef 25   ....Kv.......$.%
    00c0 - f0 a9 57 1d ae e6 41 ac-8f 30 14 b4 5b bc e4 8f   ..W...A..0..[...
    00d0 - b0 c5 b8 d7 4b 9e 9b 52-ec f0 ff 1a 18 6c 05 6b   ....K..R.....l.k
    00e0 - 54 90 51 40 42 be 04 de-aa 06 c6 31 6d 42 9c 07   [email protected]
    00f0 - 64 6b 7f c8 49 b9 d0 e6-a8 72 80 6d 4f 75 6e 4a   dk..I....r.mOunJ
    0100 - 35 2a 3f 8a 57 ee 94 80-81 a8 e5 42 6d 9e 3a 9a   5*?.W......Bm.:.
    0110 - 42 c2 85 95 d0 f4 01 67-43 67 b3 77 e9 0c 4b 3b   B......gCg.w..K;
    0120 - c6 95 c8 af 61 7f 92 1c-82 61 68 49 4b 1e 16 a9   ....a....ahIK...
    0130 - 8c 86 22 78 e2 4f 72 f6-bd 26 9d 26 58 ce ff 24   .."x.Or..&.&X..$
    0140 - ec 91 4c af fb 4f db 61-d3 65 03 cb ba 06 cc 03   ..L..O.a.e......
    0150 - c8 bb 0f 0e b3 8b 25 e3-6c 73 cd 54 9f 0f 68 d1   ......%.ls.T..h.
    0160 - 60 d5 3d 3c 1f 3d                                 `.=<.=

    Start Time: 1536814461
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

$ openssl s_client -connect 1.0.0.1:853
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "Cloudflare, Inc.", CN = *.cloudflare-dns.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=San Francisco/O=Cloudflare, Inc./CN=*.cloudflare-dns.com
   i:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
 1 s:/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID9DCCA3qgAwIBAgIQBWzetBRl/ycHFsBukRYuGTAKBggqhkjOPQQDAjBMMQsw
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xODAzMzAwMDAwMDBaFw0yMDAz
MjUxMjAwMDBaMGwxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMN
U2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQQ2xvdWRmbGFyZSwgSW5jLjEdMBsGA1UE
AwwUKi5jbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
AASyRQsxrFBjziHmfDQjGsXBU0WWl3oxh7vg6h2V9f8lBMp18PY/td9R6VvJPa20
AwVzIJI+dL6OSxviaIZEbmK7o4ICHDCCAhgwHwYDVR0jBBgwFoAUo53mH/naOU/A
buiRy5Wl2jHiCp8wHQYDVR0OBBYEFN+XTeVDs7BBp0LykM+Jf64SV4ThMGMGA1Ud
EQRcMFqCFCouY2xvdWRmbGFyZS1kbnMuY29thwQBAQEBhwQBAAABghJjbG91ZGZs
YXJlLWRucy5jb22HECYGRwBHAAAAAAAAAAAAERGHECYGRwBHAAAAAAAAAAAAEAEw
DgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBp
BgNVHR8EYjBgMC6gLKAqhihodHRwOi8vY3JsMy5kaWdpY2VydC5jb20vc3NjYS1l
Y2MtZzEuY3JsMC6gLKAqhihodHRwOi8vY3JsNC5kaWdpY2VydC5jb20vc3NjYS1l
Y2MtZzEuY3JsMEwGA1UdIARFMEMwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEW
HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwCAYGZ4EMAQICMHsGCCsGAQUF
BwEBBG8wbTAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZGlnaWNlcnQuY29tMEUG
CCsGAQUFBzAChjlodHRwOi8vY2FjZXJ0cy5kaWdpY2VydC5jb20vRGlnaUNlcnRF
Q0NTZWN1cmVTZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADAKBggqhkjOPQQDAgNo
ADBlAjEAjoyy2Ogh1i1/Kh9+psMc1OChlQIvQF6AkojZS8yliar6m8q5nqC3qe0h
HR0fExwLAjAueWRnHX4QJ9loqMhsPk3NB0Cs0mStsNDNG6/DpCYw7XmjoG3y1LS7
ZkZZmqNn2Q8=
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Francisco/O=Cloudflare, Inc./CN=*.cloudflare-dns.com
issuer=/C=US/O=DigiCert Inc/CN=DigiCert ECC Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2631 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
    Session-ID: 271FB4BB975C3D16183AE01AD2DF1C9BE7862CD56E9FE6D959A7D4F7E61B7FE5
    Session-ID-ctx: 
    Master-Key: 7AEA36A28BB07F90233541105E347EFE7DD9EF5904523544CA681E68A4ECF949D15D08DDE66F0BAB1033389356219E86
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 21600 (seconds)
    TLS session ticket:
    0000 - 7f 37 a2 e8 66 dc cc 20-2e 5a 05 e0 69 45 d0 39   .7..f.. .Z..iE.9
    0010 - 53 37 00 8a b7 c8 1f d6-d5 b3 7d 33 a0 bd 6e 6e   S7........}3..nn
    0020 - 01 30 47 7f df ba 96 94-d4 73 65 a6 31 df 7f 06   .0G......se.1...
    0030 - 4b dc 39 33 6c 48 f0 43-45 52 65 32 2b fe 30 0a   K.93lH.CERe2+.0.
    0040 - 8c 51 46 95 5a 33 4a 1d-d9 ed 07 2d 2a 1b c8 75   .QF.Z3J....-*..u
    0050 - 8a f1 ef 1e 35 18 5b 24-2f e5 29 fe 15 ea 59 65   ....5.[$/.)...Ye
    0060 - 8b 53 e6 79 26 38 a3 33-16 c8 87 c7 eb d7 56 5c   .S.y&8.3......V\
    0070 - dd 10 fa 66 35 bc d6 b4-44 12 84 0a ef 2c 67 5b   ...f5...D....,g[
    0080 - 39 9e 2a 56 c3 ee 91 54-9e 30 49 20 f9 aa 7e e4   9.*V...T.0I ..~.
    0090 - 1e b3 e5 23 cd 9d 5c a4-72 c0 1e 92 40 da d8 1f   ...#..\[email protected]
    00a0 - e8 86 40 5f 57 26 98 77-79 56 72 3a 0d f6 12 ed   [email protected]_W&.wyVr:....
    00b0 - ee f3 c5 c7 7d 48 eb 9c-44 f7 cf ef 17 9e 60 2c   ....}H..D.....`,
    00c0 - cc 8d 8c d3 65 86 aa e5-32 4c ac a1 46 52 7b 00   ....e...2L..FR{.
    00d0 - 18 2a 98 0e 5b 7b 91 6c-fb 16 6d ca 2b b4 ec 44   .*..[{.l..m.+..D
    00e0 - 09 36 32 29 7a f5 83 1c-5c 81 fb ad 12 c6 ff 85   .62)z...\.......
    00f0 - 4d 21 1b 40 9b ee e6 06-61 75 8a 5b 6e 08 fe 64   [email protected][n..d
    0100 - f1 a9 76 07 8a 86 ba af-e9 77 91 f6 22 e9 96 65   ..v......w.."..e
    0110 - 65 96 0d 72 82 ae 26 ee-04 5a ca 14 ff 01 f7 bc   e..r..&..Z......
    0120 - d1 4f 51 42 8c b1 c2 b7-6a 65 b4 6e 04 ee 87 ef   .OQB....je.n....
    0130 - 56 b5 0b 02 0e f8 f2 f6-49 54 f5 ae 0f d4 21 93   V.......IT....!.
    0140 - fa 2f 30 0b 11 cb 6b ec-21 3c 20 c1 77 40 a0 51   ./0...k.!< [email protected]
    0150 - 09 6d d5 44 8d de 21 c3-53 54 44 9b 3d 27 e4 51   .m.D..!.STD.='.Q
    0160 - a7 f9 59 3d b4 f1                                 ..Y=..

    Start Time: 1536814470
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
closed

$ kdig +tls @1.1.1.1 id.server CH TXT
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 35880
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 410 B

;; QUESTION SECTION:
;; id.server.          		CH	TXT

;; ANSWER SECTION:
id.server.          	0	CH	TXT	"EWR"

;; Received 468 B
;; Time 2018-09-13 00:54:57 EDT
;; From [email protected](TCP) in 9.8 ms

$ kdig +tls @1.0.0.1 id.server CH TXT
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 16369
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 410 B

;; QUESTION SECTION:
;; id.server.          		CH	TXT

;; ANSWER SECTION:
id.server.          	0	CH	TXT	"EWR"

;; Received 468 B
;; Time 2018-09-13 00:55:04 EDT
;; From [email protected](TCP) in 11.0 ms

$ curl -v 'https://1.1.1.1/dns-query?ct=application/dns-json&name=cloudflare.com'
*   Trying 1.1.1.1...
* TCP_NODELAY set
* Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-CHACHA20-POLY1305
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=*.cloudflare-dns.com
*  start date: Mar 30 00:00:00 2018 GMT
*  expire date: Mar 25 12:00:00 2020 GMT
*  subjectAltName: host "1.1.1.1" matched cert's IP address!
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5610088c98e0)
> GET /dns-query?ct=application/dns-json&name=cloudflare.com HTTP/2
> Host: 1.1.1.1
> User-Agent: curl/7.58.0
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200 
< date: Thu, 13 Sep 2018 04:55:31 GMT
< content-type: application/dns-json
< content-length: 289
< access-control-allow-origin: *
< cache-control: max-age=230
< server: cloudflare-nginx
< cf-ray: 459805a2fda49230-EWR
< 
* Connection #0 to host 1.1.1.1 left intact
{"Status": 0,"TC": false,"RD": true, "RA": true, "AD": true,"CD": false,"Question":[{"name": "cloudflare.com.", "type": 1}],"Answer":[{"name": "cloudflare.com.", "type": 1, "TTL": 230, "data": "198.41.214.162"},{"name": "cloudflare.com.", "type": 1, "TTL": 230, "data": "198.41.215.162"}]}

#2

This is an issue with your local network or ISP. It’s sadly fairly common for networking hardware to use 1.1.1.1 as an internal address despite it not being assigned as such by the IANA. As we identify networks, ISPs, and hardware manufacturers who do this we reach out and are generally able to work with them to fix their configurations. The clear evidence that that is the issue in this case is 1.0.0.1 working, while 1.1.1.1 does not. They resolve to the same machines on our end, but evidently not by your particular networking setup.


#3

FWIW, I’m having the same issue, also on Optimum Online.


#4

I posted about this a while ago and gave up. Thank you for making some noise regarding this. Maybe this issue will get more attention now.