Unable to resolve forums.geforce.com

Hi.
With Cloudflare’s DNS is not possible to resolve “forums.geforce.com”. With 8.8.8.8 the resolution work. This DNS resolution problem about “forums.geforce.com” happens very often.
See here:

[email protected]:~# nslookup forums.geforce.com 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

** server can’t find forums.geforce.com: NXDOMAIN

[email protected]:~# nslookup forums.geforce.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
forums.geforce.com canonical name = 2665u.x.incapdns.net.
Name: 2665u.x.incapdns.net
Address: 192.230.83.45

[email protected]:~# date
Mon Jul 29 07:25:41 CEST 2019

Probably the same as Can't access Nvidia's website geforce.com when using Cloudflare

Can you run the following commands?

nslookup forums.geforce.com 1.0.0.1

nslookup 2665u.x.incapdns.net 1.1.1.1
nslookup 2665u.x.incapdns.net 1.0.0.1

nslookup -class=chaos -type=txt id.server 1.1.1.1
nslookup -class=chaos -type=txt id.server 1.0.0.1

curl -v 'https://1.1.1.1/dns-query?ct=application/dns-json&name=forums.geforce.com'
curl -v 'https://1.0.0.1/dns-query?ct=application/dns-json&name=forums.geforce.com'

[email protected]:~# nslookup forums.geforce.com 1.0.0.1
Server: 1.0.0.1
Address: 1.0.0.1#53

** server can’t find forums.geforce.com: NXDOMAIN

[email protected]:~# nslookup 2665u.x.incapdns.net 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: 2665u.x.incapdns.net
Address: 192.230.83.45

[email protected]:~# nslookup 2665u.x.incapdns.net 1.0.0.1
Server: 1.0.0.1
Address: 1.0.0.1#53

Non-authoritative answer:
Name: 2665u.x.incapdns.net
Address: 192.230.83.45

[email protected]:~# nslookup -class=chaos -type=txt id.server 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
id.server text = “FCO”

Authoritative answers can be found from:

[email protected]:~# nslookup -class=chaos -type=txt id.server 1.0.0.1
Server: 1.0.0.1
Address: 1.0.0.1#53

Non-authoritative answer:
id.server text = “FCO”

Authoritative answers can be found from:

[email protected]:~# curl -v ‘https://1.1.1.1/dns-query?ct=application/dns-json&name=forums.geforce.com

  • STATE: INIT => CONNECT handle 0x201d700; line 1356 (connection #-5000)
  • Added connection 0. The cache now contains 1 members
  • Trying 1.1.1.1:443…
  • TCP_NODELAY set
  • STATE: CONNECT => WAITCONNECT handle 0x201d700; line 1412 (connection #0)
  • Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
  • STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x201d700; line 1532 (connection #0)
  • Marked for [keep alive]: HTTP default
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x201d700; line 1547 (connection #0)
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=Cloudflare-dns.com
  • start date: Jan 28 00:00:00 2019 GMT
  • expire date: Feb 1 12:00:00 2021 GMT
  • subjectAltName: host “1.1.1.1” matched cert’s IP address!
  • issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
  • SSL certificate verify ok.
  • STATE: PROTOCONNECT => DO handle 0x201d700; line 1566 (connection #0)
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x201d700)

GET /dns-query?ct=application/dns-json&name=forums.geforce.com HTTP/2
Host: 1.1.1.1
User-Agent: curl/7.65.3
Accept: /

  • STATE: DO => DO_DONE handle 0x201d700; line 1621 (connection #0)
  • multi changed, check CONNECT_PEND queue!
  • STATE: DO_DONE => PERFORM handle 0x201d700; line 1743 (connection #0)
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
  • Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
  • multi changed, check CONNECT_PEND queue!
  • HTTP/2 found, allow multiplexing
    < HTTP/2 200
    < date: Mon, 29 Jul 2019 08:15:48 GMT
    < content-type: application/dns-json
    < content-length: 310
    < access-control-allow-origin: *
    < cache-control: max-age=30
    < expect-ct: max-age=604800, report-uri=“https://report-uri.Cloudflare.com/cdn-cgi/beacon/expect-ct
    < server: Cloudflare
    < cf-ray: 4fdda5a5d8716f16-FCO
    <
  • nread <= 0, server closed connection, bailing
  • STATE: PERFORM => DONE handle 0x201d700; line 1933 (connection #0)
  • multi_done
  • Connection #0 to host 1.1.1.1 left intact
    {“Status”: 0,“TC”: false,“RD”: true, “RA”: true, “AD”: false,“CD”: false,“Question”:[{“name”: “forums.geforce.com.”, “type”: 1}],“Answer”:[{“name”: “forums.geforce.com.”, “type”: 5, “TTL”: 6965, “data”: “2665u.x.incapdns.net.”},{“name”: “2665u.x.incapdns.net.”, “type”: 1, “TTL”: 30, “data”: “192.230.83.45”}]}

[email protected]:~# curl -v ‘https://1.0.01/dns-query?ct=application/dns-json&name=forums.geforce.com

  • STATE: INIT => CONNECT handle 0x4ba700; line 1356 (connection #-5000)
  • Added connection 0. The cache now contains 1 members
  • STATE: CONNECT => WAITRESOLVE handle 0x4ba700; line 1397 (connection #0)
  • Could not resolve: 1.0.01 (Domain name not found)
  • Curl_disconnect when inuse: 1
  • Expire cleared (transfer 0x4ba700)
    curl: (6) Could not resolve: 1.0.01 (Domain name not found)
    [email protected]:~# curl -v ‘https://1.0.0.1/dns-query?ct=application/dns-json&name=forums.geforce.com
  • STATE: INIT => CONNECT handle 0x846700; line 1356 (connection #-5000)
  • Added connection 0. The cache now contains 1 members
  • Trying 1.0.0.1:443…
  • TCP_NODELAY set
  • STATE: CONNECT => WAITCONNECT handle 0x846700; line 1412 (connection #0)
  • Connected to 1.0.0.1 (1.0.0.1) port 443 (#0)
  • STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x846700; line 1532 (connection #0)
  • Marked for [keep alive]: HTTP default
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x846700; line 1547 (connection #0)
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=Cloudflare-dns.com
  • start date: Jan 28 00:00:00 2019 GMT
  • expire date: Feb 1 12:00:00 2021 GMT
  • subjectAltName: host “1.0.0.1” matched cert’s IP address!
  • issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
  • SSL certificate verify ok.
  • STATE: PROTOCONNECT => DO handle 0x846700; line 1566 (connection #0)
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x846700)

GET /dns-query?ct=application/dns-json&name=forums.geforce.com HTTP/2
Host: 1.0.0.1
User-Agent: curl/7.65.3
Accept: /

  • STATE: DO => DO_DONE handle 0x846700; line 1621 (connection #0)
  • multi changed, check CONNECT_PEND queue!
  • STATE: DO_DONE => PERFORM handle 0x846700; line 1743 (connection #0)
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
  • Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
  • multi changed, check CONNECT_PEND queue!
  • HTTP/2 found, allow multiplexing
    < HTTP/2 200
    < date: Mon, 29 Jul 2019 08:16:21 GMT
    < content-type: application/dns-json
    < content-length: 310
    < access-control-allow-origin: *
    < cache-control: max-age=30
    < expect-ct: max-age=604800, report-uri=“https://report-uri.Cloudflare.com/cdn-cgi/beacon/expect-ct
    < server: Cloudflare
    < cf-ray: 4fdda677b861cd26-FCO
    <
  • nread <= 0, server closed connection, bailing
  • STATE: PERFORM => DONE handle 0x846700; line 1933 (connection #0)
  • multi_done
  • Connection #0 to host 1.0.0.1 left intact
    {“Status”: 0,“TC”: false,“RD”: true, “RA”: true, “AD”: false,“CD”: false,“Question”:[{“name”: “forums.geforce.com.”, “type”: 1}],“Answer”:[{“name”: “forums.geforce.com.”, “type”: 5, “TTL”: 6932, “data”: “2665u.x.incapdns.net.”},{“name”: “2665u.x.incapdns.net.”, “type”: 1, “TTL”: 30, “data”: “192.230.83.45”}]}

Interesting, you seem to be able to resolve the actual hostname to which forums.geforce.com points to, so it really seems to be an issue with that particular hostname.

Furthermore, the resolution via DoH seems to work too, so I would guess it should not be necessarily an issue with the Cloudflare PoP in Rome.

Maybe Cloudflare’s support can shed some light. Can you send them an email to [email protected]?

@cloonan

Just to make sure it really is not a PoP issue. Whats the colo of these two URLs?

https://1.1.1.1/cdn-cgi/trace
https://1.0.0.1/cdn-cgi/trace

[email protected]:~# curl -v https://1.1.1.1/cdn-cgi/trace

  • STATE: INIT => CONNECT handle 0xc2c700; line 1356 (connection #-5000)
  • Added connection 0. The cache now contains 1 members
  • Trying 1.1.1.1:443…
  • TCP_NODELAY set
  • STATE: CONNECT => WAITCONNECT handle 0xc2c700; line 1412 (connection #0)
  • Connected to 1.1.1.1 (1.1.1.1) port 443 (#0)
  • STATE: WAITCONNECT => SENDPROTOCONNECT handle 0xc2c700; line 1532 (connection #0)
  • Marked for [keep alive]: HTTP default
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0xc2c700; line 1547 (connection #0)
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=Cloudflare-dns.com
  • start date: Jan 28 00:00:00 2019 GMT
  • expire date: Feb 1 12:00:00 2021 GMT
  • subjectAltName: host “1.1.1.1” matched cert’s IP address!
  • issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
  • SSL certificate verify ok.
  • STATE: PROTOCONNECT => DO handle 0xc2c700; line 1566 (connection #0)
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0xc2c700)

GET /cdn-cgi/trace HTTP/2
Host: 1.1.1.1
User-Agent: curl/7.65.3
Accept: /

  • STATE: DO => DO_DONE handle 0xc2c700; line 1621 (connection #0)
  • multi changed, check CONNECT_PEND queue!
  • STATE: DO_DONE => PERFORM handle 0xc2c700; line 1743 (connection #0)
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
  • Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
  • multi changed, check CONNECT_PEND queue!
  • HTTP/2 found, allow multiplexing
    < HTTP/2 200
    < date: Mon, 29 Jul 2019 08:29:46 GMT
    < content-type: text/plain
    < set-cookie: __cfduid=da2f6e1db179c90fe5569fe4ffa8292da1564388986; expires=Tue, 28-Jul-20 08:29:46 GMT; path=/; domain=.1.1.1.1; HttpOnly
    < access-control-allow-origin: *
    < server: Cloudflare
    < cf-ray: 4fddba1f8fdf6f52-FCO
    < x-frame-options: SAMEORIGIN
    < expires: Thu, 01 Jan 1970 00:00:01 GMT
    < cache-control: no-cache
    <
    fl=126f13
    h=1.1.1.1
    ip=151.70.153.167
    ts=1564388986.811
    visit_scheme=https
    uag=curl/7.65.3
    colo=FCO
    http=http/2
    loc=IT
    tls=TLSv1.3
    sni=off
    warp=off
  • nread <= 0, server closed connection, bailing
  • STATE: PERFORM => DONE handle 0xc2c700; line 1933 (connection #0)
  • multi_done
  • Connection #0 to host 1.1.1.1 left intact
  • Expire cleared (transfer 0xc2c700)
    [email protected]:~#
    [email protected]:~# curl -v https://1.0.0.1/cdn-cgi/trace
  • STATE: INIT => CONNECT handle 0x274700; line 1356 (connection #-5000)
  • Added connection 0. The cache now contains 1 members
  • Trying 1.0.0.1:443…
  • TCP_NODELAY set
  • STATE: CONNECT => WAITCONNECT handle 0x274700; line 1412 (connection #0)
  • Connected to 1.0.0.1 (1.0.0.1) port 443 (#0)
  • STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x274700; line 1532 (connection #0)
  • Marked for [keep alive]: HTTP default
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x274700; line 1547 (connection #0)
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (IN), TLS handshake, CERT verify (15):
  • TLSv1.3 (IN), TLS handshake, Finished (20):
  • TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.3 (OUT), TLS handshake, Finished (20):
  • SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: C=US; ST=California; L=San Francisco; O=Cloudflare, Inc.; CN=Cloudflare-dns.com
  • start date: Jan 28 00:00:00 2019 GMT
  • expire date: Feb 1 12:00:00 2021 GMT
  • subjectAltName: host “1.0.0.1” matched cert’s IP address!
  • issuer: C=US; O=DigiCert Inc; CN=DigiCert ECC Secure Server CA
  • SSL certificate verify ok.
  • STATE: PROTOCONNECT => DO handle 0x274700; line 1566 (connection #0)
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x274700)

GET /cdn-cgi/trace HTTP/2
Host: 1.0.0.1
User-Agent: curl/7.65.3
Accept: /

  • STATE: DO => DO_DONE handle 0x274700; line 1621 (connection #0)
  • multi changed, check CONNECT_PEND queue!
  • STATE: DO_DONE => PERFORM handle 0x274700; line 1743 (connection #0)
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
  • old SSL session ID is stale, removing
  • Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
  • multi changed, check CONNECT_PEND queue!
  • HTTP/2 found, allow multiplexing
    < HTTP/2 200
    < date: Mon, 29 Jul 2019 08:30:00 GMT
    < content-type: text/plain
    < set-cookie: __cfduid=d11fbdad0f1b2800f98cf1fa8886fdd121564389000; expires=Tue, 28-Jul-20 08:30:00 GMT; path=/; domain=.1.0.0.1; HttpOnly
    < access-control-allow-origin: *
    < server: Cloudflare
    < cf-ray: 4fddba776f8bcd32-FCO
    < x-frame-options: SAMEORIGIN
    < expires: Thu, 01 Jan 1970 00:00:01 GMT
    < cache-control: no-cache
    <
    fl=126f30
    h=1.0.0.1
    ip=151.70.153.167
    ts=1564389000.874
    visit_scheme=https
    uag=curl/7.65.3
    colo=FCO
    http=http/2
    loc=IT
    tls=TLSv1.3
    sni=off
    warp=off
  • nread <= 0, server closed connection, bailing
  • STATE: PERFORM => DONE handle 0x274700; line 1933 (connection #0)
  • multi_done
  • Connection #0 to host 1.0.0.1 left intact
  • Expire cleared (transfer 0x274700)

Ticket 1726140 opened.
Thank you.

Ciao!

Goes via Fiumicino as well. Shouldnt be a PoP issue then, as DoH works, only plain DNS does not, like in the mentioned Larnaca related thread.

@cloonan

1 Like

Hi.
Still same problems also today, sometimes it’s resolved, sometimes no:

[email protected]:~# nslookup forums.geforce.com 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
forums.geforce.com canonical name = 2665u.x.incapdns.net.
Name: 2665u.x.incapdns.net
Address: 192.230.83.45

[email protected]:~# nslookup forums.geforce.com 1.0.0.1
Server: 1.0.0.1
Address: 1.0.0.1#53

Non-authoritative answer:
forums.geforce.com canonical name = 2665u.x.incapdns.net.
Name: 2665u.x.incapdns.net
Address: 192.230.83.45

[email protected]:~# nslookup forums.geforce.com 1.0.0.1
Server: 1.0.0.1
Address: 1.0.0.1#53

** server can’t find forums.geforce.com: NXDOMAIN

[email protected]:~# nslookup forums.geforce.com 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

** server can’t find forums.geforce.com: NXDOMAIN

Well, I guess the issue hasnt been fixed yet and considering it dates back to May I am not sure how quickly it will be.

What did support respond?

The support answered with:

I cannot replicate the issue you have.
Regardless which DNS resolver I ask I got the same answer

```

dig forums.geforce.com @8.8.8.8 +short
2665u.x.incapdns.net.
149.126.74.45
```

Let me know how I can assist

Did you tell them to specifically look at the Fiumicino PoP? It would appear as if that is specific to Fiumicino, Larnaca, and maybe other PoPs but not Cloudflare in general.

Yesterday I have had the same problem on MXP (Milano). I don’t think it’s related to the specific Datacenter.

On my Android 9 mobile phone I have configured “Secure DNS” that it’s a DNS-over-TLS and I have hade the same problem and I was on Milan Datacenter.

Might be specific ot FCO and MXP in that case.

Anyhow, you should tell them the specific PoP.

And on my Linux Server at home I have a unbound DNS Server configured to use 1.1.1.1 and 1.0.0.1 as forwarded via DNS-over-TLS.
Also the DNS-over-TLS queries fails randomly as the plain DNS.

OK. I’ll ask.

See these screenshot of tomorrow: using DNS-over-TLS of Andorid 9 mobile phone and the lookup fails.

So DoH works, but DoT does not?