Problems with CloudFlare DoT

[richardeid]

I've been having this issue the last couple days and was using Cloudflare DoT. For whatever reason some sites just would not resolve. For me, one example was healthcare.gov. As soon as I switched to any other provider for DoT from the pre-selected list it would load fine. I don't really have another good example to try outside of those. Last night my AT&T TV wouldn't load. Amazon Prime had issues along with HBO Max. Today healthcare.gov wasn't right and then a bunch of other sites that I can't really recall because I was frustrated trying to pin down what was causing the problem.

Anyway, I was wondering if anyone else has been having this issue the past day or two. It doesn't matter because I've resolved my problem for now, but I'm curious. I checked Cloudflare dashboards and various social media sites to see if anyone is crying like me but I appear to be the only one currently.

edit: And you know it did make me wonder something. I had Google's DNS set as another server in my DoT setup. How come if the router couldn't resolve healthcare.gov with Cloudflare it didn't fall back to Google?

 

[jeff3820]

Yes, I have also been having periodic issues...and it is not related to Asus/Merlin routers. I see some sites periodically not loading with any Cloudflare DNS IPs (1.1.1.1, 1.1.1.2, 1.1.1.3) and will load fine when I switch to Quad 9. After a few days I check Cloudflare again and all is well...for a few days when the same or different sites fail to resolve and then I go back to Quad 9. I'm experiencing this on ASUS/Merlin based routers and on a Pfsense based router. Somedays sites like apple.com fail...other days its bmwusa.com. No real consistency. What is consistent is switching to another DNS provider resolves the issue. And it's not related to DOT either...just periodic issues with Cloudflare DNS.

 

[Deleted member 22229]

Yes, I have also been having periodic issues...and it is not related to Asus/Merlin routers. I see some sites periodically not loading with any Cloudflare DNS IPs (1.1.1.1, 1.1.1.2, 1.1.1.3) and will load fine when I switch to Quad 9. After a few days I check Cloudflare again and all is well...for a few days when the same or different sites fail to resolve and then I go back to Quad 9. I'm experiencing this on ASUS/Merlin based routers and on a Pfsense based router. Somedays sites like apple.com fail...other days its bmwusa.com. No real consistency. What is consistent is switching to another DNS provider resolves the issue. And it's not related to DOT either...just periodic issues with Cloudflare DNS.

This is why i stopped using cloudflare about a month or two ago. The issues have never came back after the switch.

 

[Treadler]

I've been having this issue the last couple days and was using Cloudflare DoT. For whatever reason some sites just would not resolve. For me, one example was healthcare.gov. As soon as I switched to any other provider for DoT from the pre-selected list it would load fine. I don't really have another good example to try outside of those. Last night my AT&T TV wouldn't load. Amazon Prime had issues along with HBO Max. Today healthcare.gov wasn't right and then a bunch of other sites that I can't really recall because I was frustrated trying to pin down what was causing the problem.

Anyway, I was wondering if anyone else has been having this issue the past day or two. It doesn't matter because I've resolved my problem for now, but I'm curious. I checked Cloudflare dashboards and various social media sites to see if anyone is crying like me but I appear to be the only one currently.

edit: And you know it did make me wonder something. I had Google's DNS set as another server in my DoT setup. How come if the router couldn't resolve healthcare.gov with Cloudflare it didn't fall back to Google?

Re falling back to the alternative server: I “think” any specified servers are called upon in a ‘round robin’ arrangement. Each server’s turn comes up for use, working or not?

 

[Treadler]

Yes, I have also been having periodic issues...and it is not related to Asus/Merlin routers. I see some sites periodically not loading with any Cloudflare DNS IPs (1.1.1.1, 1.1.1.2, 1.1.1.3) and will load fine when I switch to Quad 9. After a few days I check Cloudflare again and all is well...for a few days when the same or different sites fail to resolve and then I go back to Quad 9. I'm experiencing this on ASUS/Merlin based routers and on a Pfsense based router. Somedays sites like apple.com fail...other days its bmwusa.com. No real consistency. What is consistent is switching to another DNS provider resolves the issue. And it's not related to DOT either...just periodic issues with Cloudflare DNS.

Back in the early days of the DNS Privacy implementation, I too had all sorts of hassles with Cloudflare. Some sites just refused to resolve.
Disabling Pixelserv was my eventual fix.
Now I have reenabled it, but I don’t have the certificate installed on my device, & all is good.
Why this should be, I don’t know. Just reporting what works here.....

 

[bbunge]

I am currently using Cloudflare (malware) 1.1.1.2 and 1.0.0.2 with DoT and am not having issues. I have run Quad9 DoT off and on since the early testing of Stubby. As my ISP routes Quad9 anycast to a server nine time farther away than Cloudflare, I had the occasional connection issue so have switched to the Cloudflare service.
With that said, I do modify stubby.yml to turn off round robin and do DNSSEC via Stubby (DNSSEC is not enabled in the Merlin GUI). There have been plenty of discussions on the "right" way to do DNSSEC and the bottom line is that it is your preference. For the adventuresome here is my stubby.postconf:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
pc_insert "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

Just remember to disable DNSSEC in the WAN settings.

 

[Treadler]

I am currently using Cloudflare (malware) 1.1.1.2 and 1.0.0.2 with DoT and am not having issues. I have run Quad9 DoT off and on since the early testing of Stubby. As my ISP routes Quad9 anycast to a server nine time farther away than Cloudflare, I had the occasional connection issue so have switched to the Cloudflare service.
With that said, I do modify stubby.yml to turn off round robin and do DNSSEC via Stubby (DNSSEC is not enabled in the Merlin GUI). There have been plenty of discussions on the "right" way to do DNSSEC and the bottom line is that it is your preference. For the adventuresome here is my stubby.postconf:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
pc_insert "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

Just remember to disable DNSSEC in the WAN settings.

I specify just one server. Works fine.

 

[SomeWhereOverTheRainBow]

I get my best responses using unbound. I even placed unbound and cloudflare in dnsmasq.conf. I told it strict order. Unbound hands down wins the race.

 

[cooloutac]

seems to be a common issue with cloudflare. i would recommend dnscrypt with quad9 as an above poster suggested.

 

[jeff3820]

I am currently using Cloudflare (malware) 1.1.1.2 and 1.0.0.2 with DoT and am not having issues. I have run Quad9 DoT off and on since the early testing of Stubby. As my ISP routes Quad9 anycast to a server nine time farther away than Cloudflare, I had the occasional connection issue so have switched to the Cloudflare service.
With that said, I do modify stubby.yml to turn off round robin and do DNSSEC via Stubby (DNSSEC is not enabled in the Merlin GUI). There have been plenty of discussions on the "right" way to do DNSSEC and the bottom line is that it is your preference. For the adventuresome here is my stubby.postconf:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
pc_insert "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

Just remember to disable DNSSEC in the WAN settings.

Most of the time Cloudflare works great. Then one day a few sites don't resolve. Changing to another DNS provider fixes it immediately. No changes needed in my network/router. I have this with Asus/Merlin and with Pfsense. I usually wait 24-48 hours and switch back to Cloudflare and all is well. Then after a period of time, usually a few weeks, it happens again. Sometimes the same sites won't resolve and sometimes other sites. Changing DNS providers always resolves the issue. It has to be a server issue on Cloudflare's side and maybe just the server I'm steered to...in my case ORD/Chicago. Regardless, I'm back on Quad 9 and for me it's about 1ms faster to resolve than Cloudflare.

 

[intr0]

Since this thread is all about Cloudflare, I thought I'd put an idea out there. Cloudflare has these free offerings: Cloudflare Teams & Cloudflare Gateway. It's the latter that I use for DoT after using NextDNS for DoT since the beta with a subscription as it was inexpensive & appeared to have great potential. Well, NextDNS DNS servers do not have DNNSEC configured properly as can be tested using

https://cmdns.dev.dns-oarc.net/

. It's grade is a C. Note that Cloudflare's grade is only a B. Thus far, the only mainstream security focused DoT (& DoH, DNSCrypt & DoQ - DNS-over-QUIC) DNS server that has ad/tracking/phishing/etc protection is AdGuard's. Cloudflare's Gateway has a dash (not well designed, IMO) which logs every host that was contacted in real time. It allows for blocking of anything one may want, allows specific hosts that one may want & allows for CNAMEs from any host to any other or to any IP (it's convenient for mapping something like

x.local CNAME 192.168.50.1

. NextDNS has the same function; however, Cloudflare began its Gateway service ≈1yr ago.

1) Sign up for free Cloudflare acct.
2) Familiarize oneself with its Gateway.
3) Try it out.

 

[New2This]

No issues here while using Unbound configured with DoT using cloudflare(1.1.1.2-1.0.0.2)

 

[richardeid]

Re falling back to the alternative server: I “think” any specified servers are called upon in a ‘round robin’ arrangement. Each server’s turn comes up for use, working or not?

That would be interesting. All these years and I assumed it would fall back to the secondary (and sometimes tertiary) if a site failed to resolve on the primary or secondary OR if the primary couldn't be reached. I didn't know it was a round robin. If it were, wouldn't that be a huge coincidence that every time I'd hit a particular site (in this case healthcare.gov) and it was always 1.1.1.1 that got the turn for it? Anyway I guess I should read up on how it works. Thanks for piquing my interest in that.

Most of the time Cloudflare works great. Then one day a few sites don't resolve. Changing to another DNS provider fixes it immediately. No changes needed in my network/router. I have this with Asus/Merlin and with Pfsense. I usually wait 24-48 hours and switch back to Cloudflare and all is well. Then after a period of time, usually a few weeks, it happens again. Sometimes the same sites won't resolve and sometimes other sites. Changing DNS providers always resolves the issue. It has to be a server issue on Cloudflare's side and maybe just the server I'm steered to...in my case ORD/Chicago. Regardless, I'm back on Quad 9 and for me it's about 1ms faster to resolve than Cloudflare.

This is entirely my experience. Except now I'm not gonna head back to Cloudflare. I just hopped to Quad9 for my primary and Google for the secondary. If and when one of those gives me troubles, I have no problems switching again. Ain't nobody got time for that. Essentially all these big ones are the same anyway. My life isn't going to drastically change because queries are taking milliseconds longer each.