Traceroute seems to show my network doesn't use Cloudflare DNS

This question may reveal the depths of my ignorance about the way DNS works, but I have my iMac “location” settings configured to use Cloudflare DNS (1.1.1.1, etc.), my wireless access point (Netgear Orbi) is configured to use Cloudflare DNS, and my router (Frontier FIOS Arris NVG468MQ) is configured to use Cloudflare DNS. My expectation is that my DNS queries should be going through Cloudflare DNS.

Yet when I run a traceroute (either through Network Utility or Terminal), none of the Cloudflare public DNS addresses shows up in the route.

traceroute department21.org
traceroute to department21.org (104.18.46.35), 64 hops max, 52 byte packets
1 192.168.254.254 (192.168.254.254) 1.325 ms 0.913 ms 0.963 ms
2 47.150.236.1 (47.150.236.1) 1.774 ms 1.762 ms 1.707 ms
3 172.102.99.52 (172.102.99.52) 6.565 ms
172.102.99.26 (172.102.99.26) 6.016 ms 7.782 ms
4 ae8---0.scr02.lsan.ca.frontiernet.net (74.40.3.49) 4.659 ms
ae8---0.scr01.lsan.ca.frontiernet.net (74.40.3.37) 5.333 ms 5.145 ms
5 ae0---0.cbr01.lsan.ca.frontiernet.net (74.40.3.198) 4.926 ms 4.726 ms
ae1---0.cbr01.lsan.ca.frontiernet.net (74.40.3.214) 4.638 ms
6 cloudflare.as13335.any2ix.coresite.com (206.72.211.63) 5.731 ms 5.593 ms 5.499 ms
7 104.18.46.35 (104.18.46.35) 5.455 ms 5.882 ms 5.748 ms

So, what’s the point of setting my network DNS to use Cloudflare DNS?

DNS doesn’t have any (direct) impact on your network route. Instead, DNS is the service which translates the name you know (e.g. cloudflare.com) to the IP address that your computer needs to know.

But once that translation is finished, the routing of packets to the destination is unchanged.

3 Likes

OK, that makes sense. Amazing that changing that little part of the chain results in such an improvement in response time.

In addition to @thedaveCA’s correct answer, you can use the dig or nslookup coommands to check if DNS queries are being answered by the expected server:

dig department21.org

; <<>> DiG 9.10.6 <<>> department21.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9372
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;department21.org.		IN	A

;; ANSWER SECTION:
department21.org.	300	IN	A	104.18.46.35
department21.org.	300	IN	A	104.18.47.35

;; Query time: 109 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Sun Mar 08 17:16:18 -03 2020
;; MSG SIZE  rcvd: 77

nslookup department21.org

Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
Name:	department21.org
Address: 104.18.47.35
Name:	department21.org
Address: 104.18.46.35
1 Like

I’ve seen that. I guess I was expected the top line in a traceroute to show the Cloudflare public DNS, and then the rest of the path from there.

Thanks @dmz and @thedaveCA for the explanations.

1 Like