I’m with the users and not the MVP’s on this one as well. I’ve signed up just to post my tiddly bit on the subject. I to have had to stop using Cloudflare DNS because it doesn’t work. My Bank is called ‘Cahoot’ and you get to its online banking by going to https://secure.cahoot.com/ but of course, you never do using Cloudflare’s DNS servers while everyone else’s DNS works properly. Cloudflare’s DNS also doesn’t work for a load of sites on an Android Pie phone when you enable ‘Private DNS’ and use their ‘1dot1dot1dot1.Cloudflare-dns.com’ hostname in connection settings. There’s none so blind as those who cannot see.
“The users”? So far one suggested Cloudflare should not follow the security protocol but instead resolve randomly.
Your bank also seems to have DNS issues -> http://dnsviz.net/d/lbi.santander.uk/dnssec/
I find that argument somewhat curious and wonder if you were also fine with your browser accepting an invalid HTTPS certificate simply because your bank configured a self-signed certificated and - you know - the browser shouldnt break the user experience .
“Curious” is it? Yes, “The Users” - the poor people who at the end of the day try to use your DNS servers and who have been forced to abandon that use. The practical aspect of the discussion should be directed towards how Cloudflare is to resolve the problem that others haven’t got. What I am saying is that it won’t be solved by intransigence and burying their head in the sand while screaming “I’m right”.
I am going to continue to do my online banking using Mr Google’s (or whoever else’s) DNS servers no matter how many times you shoot yourselves in the foot - is that a clear enough message from a “User” or not “Mr Techies”? I’m not buying anything from you!
Why not record all unsuccessful DNS queries for a period and feed them to other DNS servers to see if they get resolved. Then you’d have a list of exceptions, errors or however you define it. Maybe then you could have exceptions for those sites or at least a procedure of some kind to ‘nudge’ those you deem miscreants into changing their ways or to alleviate the problem. I simply don’t understand ostrich like behaviour that damages a company’s revenue stream. You may well be right but that will do you no good at all when you are reminiscing on unemployment benefit. Get a work-around in place and move on before word gets out and it ruins your business.
So you’d be in favour of browsers creating “exceptions” and accepting self-signed certificates?
Poor? Forced? Arent we a bit exaggerating? It’s not like there isnt plenty of choice if they do not like Cloudflare and/or cant work with it.
I dont think Cloudflare is burying their head in the sand insisting on their point of view. What it comes down to is whether the domains in question have a valid setup or not and so far it would seem they do not.
I wouldnt want to call myself the ultimate DNS expert, so I’d like to tread a bit carefully and if somebody can make convincing point*) that Cloudflare should actually resolve these domains according to DNSSEC, I’d be perfectly happy to accept that but until then it seems Cloudflare is doing the right - albeit strict - thing.
Maybe @mnordhoff can elaborate on whether there is any room for interpretation or not.
*) And no, “others do it” is not a convincing argument
santander.uk don’t use DNSSEC. I’m not sure why you’re having resolution problems, but it’s not for the reason being discussed in this thread.
(They do seem to drop queries for most query names and types, which is a classic and critical GSLB bug.)
Okay, I split out this sub-thread into a new thread. I hope that is alright.
There’s already another thread about this issue from more than a year ago, but this one was talking about a couple different issues, and getting kind of heated, so I didn’t want to drop these six posts on the 2018 OP.
It’s unfortunate that Santander has not fixed their nameservers.
It’s possible that Cloudflare or Knot Resolver can do something about it, but the domain’s authoritative nameservers are seriously bad.
Are you having issues resolving other domains? If so, which ones? Maybe post them here or start a new thread?
Are you having issues with the 22.214.171.124 Android app? If so, can you explain? Though I personally don’t know a thing about debugging them.
In theory 126.96.36.199 is supposed to be a secure and validating resolver. Now it may be that the rest of the world has put in workarounds for Santander Bank because they’re large and the entities hosting the resolvers are willing sacrifice security and standards for the sake of convenience… and perhaps Cloudflare will eventually relent and do the same. And perhaps that will ultimately be the most expedient solution for end users who want things to “work” regardless of whether the answers received are valid or secure. But maybe, just maybe there are a few Santander customers who find it unacceptable that the foundation of the internet presence for the bank which holds their checking, savings and investments is fundamentally broken and they’ll try to actually hold the corporation which owes them a fiduciary responsibility accountable for providing a nominally working internet presence.
www.cahoot.com doesn’t even render a marginally usable website on my machine because of mixed content issues… lol. I’d rather keep my money in a mattress.
Forgot to add Cloudflare has posted with numerous other domains that they have reached out to the technical contacts for those domains when issues are reported. Occam’s Razor would seem to make it much more likely Santander knows and just doesn’t care enough to fix it.
At the end of the day it’s a decision between “use Bank X” vs. “use Cloudflare DNS”. It is very easy to change my DNS servers, however changing my bank account is a mega hassle. So it seems Cloudflare will lose most of these users, which may be ok for them. Maybe they are looking for security-minded customers only?
However, if they do, they may be in for a rude awakening. In security things aren’t quite so easy. You could be following all protocols and still have an insecure site. Security-minded people make a decision based on threat scenarios. There is no realistic threat scenario with those broken DNS servers, which would compromise my bank account. But there are all kinds of threat scenarios with online banking in general. For example, I am using a bank that allows me to perform secure transactions with a dedicated hardware key. I am not going to switch to a bank with, say, mobile TANs just because they have a correct DNS setup.