Hello,
we are using 1.1.1.1 ad primary public DNS server but we have trouble reaching some domains, such as

dig sistemapiemonte.it @1.1.1.1

; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> sistemapiemonte.it @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 25129
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;sistemapiemonte.it. IN A

;; Query time: 4211 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Jun 27 15:10:48 CEST 2019
;; MSG SIZE rcvd: 47

Regards.

Doesn’t look like this domain has any DNSSEC issues, so the issue has to be something with the authoritative DNS not responding to queries from Cloudflare.

Doing a reverse NS search for other domains with the same nameservers, dns1.csi.it and the other one, you can see it happens on every domain using these nameservers:

dig rescueweb.it @1.1.1.1 #servfail
dig tief2016.org @1.1.1.1 #servfail
dig aslto1.it @1.1.1.1 #servfail

The only reason this would happen is if that DNS service blocks CF’s IP ranges for whatever reason, but there’s nothing CF can do about it.

Here’s their contact page: http://www.csipiemonte.it/web/it/contatti-e-sedi#t3-mainnav

@matteo, non sei più da solo

@gianluca, there seem to be currently some issues with Cloudflare resolving domains managed by csi.it. So far it is not clear where the issue is.

@gianluca yep, happened yesterday as well. It will solve in the evening.

Couldn’t actually find a reason, as @judge said there is no DNSSEC. The NS seem to work when called directly.

I just realised several sites don’t work with 1.1.1.1, i’m not sure where the issue is, can anyone look into this please?
Sathias-iMac:~ sathia$ dig www.soris.torino.it @8.8.8.8
; <<>> DiG 9.10.6 <<>> www.soris.torino.it @8.8.8.8
;; ANSWER SECTION:
www.soris.torino.it. 319 IN CNAME webfarm.csi.it.
webfarm.csi.it. 21599 IN A 158.102.161.78
;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)

Sathias-iMac:~ sathia$ dig www.soris.torino.it @1.1.1.1
; <<>> DiG 9.10.6 <<>> www.soris.torino.it @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63297
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;www.soris.torino.it.   IN  A
;; Query time: 4210 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Tue Jul 09 11:14:56 CEST 2019
;; MSG SIZE  rcvd: 48

Unfortunately this has been going on for a while, I don’t know why it works for half of the day…

Maybe @cloonan can connect me with someone internally that can run some tests…

I have the same problem with the hostname WWW.SISTEMAPIEMONTE.IT.
the cloudfare name servers 1.1.1.1 and 1.0.0.1 do not respond.

I have no idea why.

I have seen that has been continuing… It’s something that has to do with the csi.it nameservers and Cloudflare.

@cloonan someone I can email and check that with?

I suspect it’s best to let support know. They can escalate if need be.

Will do now. Thanks! I’ll keep you all updated, please do not duplicate the support request

Update to everyone here. Got a reply from Celeste (thanks if you ever read this!).

She did a couple of test from their end and the name servers are blocking Cloudflare’s IPs. We should contact CSI directly.

For @cloonan, if you want to take a look it’s ticket #1723577.

Hi Judge,

your reply is very valuable. I am going to contact CSI to see if they have blacklisted the CloudFare IPs.

I didn’t think about this potential root cause of blacklisting.

I have sent an email to {pii redacted} in order to inform them that their name servers do not respond to CF’s IPs. I will keep you posted. Thanks to all of you, guys.

Hi,

the issue is now solved. CSI has whitelisted the CloudFare IPs and now it works.