Problem in handling DNS lookups by Cloudflare nameserver

We are migrating the website idea.rs to our server and will be using Cloudflare with it. While checking the DNS records we came along a strange problem in handling DNS lookups by Cloudflare nameserver.

The problem arises with the record “testmail.idea.rs” which is an alias (CN record) for mail.agrokor.hr. Resolving it to mail.agrokor.hr via CloudFlare DNS servers works OK, but I get an additional error related to mail.agrokor.hr.

Host mail.agrokor.hr.studioartlan.com not found: 5(REFUSED)

Here’s the complete output:

[~]# host testmail.idea.rs kim.ns.cloudflare.com
Using domain server:
Name: kim.ns.cloudflare.com
Address: 173.245.58.126#53
Aliases:

testmail.idea.rs is an alias for mail.agrokor.hr.
Host mail.agrokor.hr.studioartlan.com not found: 5(REFUSED)
Host mail.agrokor.hr.studioartlan.com not found: 5(REFUSED)

When I do the same lookup via Google nameserver everything works OK:

[~]# host testmail.idea.rs 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

testmail.idea.rs is an alias for mail.agrokor.hr.
mail.agrokor.hr has address 194.126.214.134

It’s odd that when doing the lookup via CF nameserver the suffix “studioartlan.com” (the domain of the server from which I’m doing the lookup) gets appended to “mail.agrokor.hr” - it seems CF nameserver is trying to do a lookup for mail.agrokor.hr.studioartlan.com while it should do a lookup for mail.agrokor.hr, as the Google nameserver does.

Furthermore, if I try to lookup “mail.agrokor.hr” directly, and add a dot at the end of the hostname, the suffix “studioartlan.com” doesn’t get appended, but I still get the “5(REFUSED)” error:

[~]# host mail.agrokor.hr. kim.ns.cloudflare.com
Using domain server:
Name: kim.ns.cloudflare.com
Address: 173.245.58.126#53
Aliases:

Host mail.agrokor.hr not found: 5(REFUSED)

Again, if I try the same thing via Google nameserver, everything works OK:

[~]# host mail.agrokor.hr. 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:

mail.agrokor.hr has address 194.126.214.134

Anyone has any idea what might be the source of this problem? How can we fix it? Is it a bug in Cloudflare nameservers?

Thanks.

:wave: @xmak,

You are attempting a recursive DNS query on an authoritative nameserver. It is the job of the cloudflare nameserver you are querying to resolve hosts for domains it controls. Not to resolve 3rd party domains.

— OG

Thank you for the answer.

Two things still puzzle me:

  • why does the CF nameserver append the suffix “studioartlan.com” to “mail.agrokor.hr” when doing the lookup? (while the Google nameserver doesn’t)
  • why does the lookup for testmail.idea.rs work without an error when using Google nameserver, but it gives the error when using the CF nameserver?

Thanks

Both answers are in @OliverGrant’s response. That nameserver simply is not to be used for this lookup. Considering this, it is irrelevant what Cloudflare returns in this context.

Thanks for clarification @sandro.

In this context, what’s the difference between nameservers like 1.1.1.1 or 8.8.8.8 (which give the response for this recursive lookup), and kim.ns.cloudflare.com (which refuses the recursive lookup)?

Thank you.

Here we go

Thanks for the link.

If I understood correctly, 1.1.1.1 and 8.8.8.8 are recursive namservers and therefore they repsond to lookups for any domain, while kim.ns.cloudflare.com being and authoritative namserver responds only to lookups for domains it controls.

Did I get it right?

1 Like

You did, except that you named the recursive nameservers incorrectly, but I’d call this a glorified typo.

Great!

Corrected the typo.

Thank you @sandro, @OliverGrant.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.