Security.cloudflare-dns.com down?

I was using DoH via security.cloudflare-dns.com, and my DNS forwarder can no longer connect.

msg=“failed to connect to an HTTPS backend “https://security.cloudflare-dns.com/dns-query””

Is this URL down/broken?

Thanks.

1 Like

It’s not working for me either. Had to go back to https://1.1.1.1/dns-query in the mean time. I even tried
https://1.1.1.2/dns-query with no luck

Bump.

security.cloudflare-dns.com:

Error 1000: DNS points to prohibited IP

1.1.1.2:

Error code: SSL_ERROR_NO_CYPHER_OVERLAP

Not intended to work as a website.

Not a DoH endpoint.

To test one might try, the command below.

curl -H 'accept: application/dns-json' 'https://security.cloudflare-dns.com/dns-query?name=example.com&type=AAAA'

That’s… how DoH works. I get the exact same error using cURL.

$ curl -H 'accept: application/dns-json' 'https://security.cloudflare-dns.com/dns-query?name=example.com&type=AAAA'
<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]>    <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>DNS points to prohibited IP | security.cloudflare-dns.com | Cloudflare</title>
...

1.1.1.1 is, and I use it to seed the A/AAAA records for cloudflare-dns.com normally. network.trr.bootstrapAddress in Firefox.

1.1.1.2 is not. There’s no SSL certificate issued for 1.1.1.2, it is not included in the setup instructions as a DoH endpoint.

Got it. Regardless, DoH does seem to be broken for security.cloudflare-dns.com.

@cscharff It was posted it was a DoH endpoint:

FAQ

  • Does 1.1.1.1 for Families support DNS over HTTPS?
    • Yes, to block malware, use security.cloudflare-dns.com , to block malware & adult content, use family.cloudflare-dns.com .

Sorry, I think the confusion here is my fault. @cscharff was saying that 1.1.1.2 isn’t a DoH endpoint; he wasn’t talking about security.cloudflare-dns.com.

The issue here is that security.cloudflare-dns.com is down. DoH requests to it fail. @cscharff indicated that receiving a cryptic error when visiting it in a browser it to be expected; however, it’s the same error message that’s received when attempting to query it via DoH, which is why I quoted it. It’s easier to read in a web browser than with cURL, since it’s HTML.

@cscharff, security.cloudflare-dns.com is most certainly down, at least when hitting EWR. That 1000 error is the same one I receive when I use cURL.

1 Like

Correct.

Thanks for the report… I’ll ask someone to check EWR, it’s working for me against DFW and other folks who tested in other geos haven’t reported an issue.

2 Likes

I can confirm it’s working for me from IAD. Here’s an EWR ray that failed: 57fd02d5493ee71c

Thanks to you both! Here’s the one that failed for me. Ray ID: 57fd105f19f5f778

It seems to be working at LAX for me with Firefox but not cloudflared on my pihole.

Seems to have been fixed for me now

1 Like

Sorry, I spoke too soon. While https://security.cloudflare-dns.com now gives a valid page, https://security.cloudflare-dns.com/dns-query does not give any valid DNS responses.

1 Like

Well now https://security.cloudflare-dns.com doesn’t even give a valid page:

Error 1000 Ray ID: 5804c27b5b75c7d5 • 2020-04-07 15:25:10 UTC

DNS points to prohibited IP

Expected. Not a web page.

time="2020-04-07T09:33:19-06:00" level=error msg="failed to connect to an HTTPS backend \"https://security.cloudflare-dns.com/dns-query\"" error="failed to perform an HTTPS request: Post https://security.cloudflare-dns.com/dns-query: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)"