Cloudflare 1.1.1.1 public DNS broken w/ AT&T CPE

Seth_Mattinen · April 3, 2018, 12:12am

Copypasta:

I didn't say that.

In case this is a non-native English issue, "nobody should have been using" is past tense, which is to say everyone squatting on 1/8 space for their own purposes because it was "unassigned" shouldn't have been doing that.

~Seth

Hank_Nussbacher1 · April 3, 2018, 5:12am

You might be interested in these links which compare the services:
https://medium.com/@nykolas.z/dns-resolvers-performance-compared-cloudflare-x-google-x-quad9-x-opendns-149e803734e5
https://webxtrakt.com/public-dns-performance

-Hank

Tore_Anderson1 · April 3, 2018, 5:22am

* Marty Strong via NANOG <nanog@nanog.org>

Routing from ~150 locations, plenty of redundancy.

Any plans to support NSID and/or "hostname.bind" to allow clients to
identify which node is serving their requests? For example:

$ dig @nsb.dnsnode.net. hostname.bind. CH TXT +nsid
[...]
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; NSID: 73 34 2e 6f 73 6c ("s4.osl")
;; QUESTION SECTION:
;hostname.bind. CH TXT

;; ANSWER SECTION:
hostname.bind. 0 CH TXT "s4.osl"
[...]

Tore

George_Skorup · April 3, 2018, 5:57am

1.1.1.1 not usable via Windstream peering in Chicago.

# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
...
3 be4.agr01.chcg02-il.us.windstream.net (40.136.99.22) 5.158 ms 5.116 ms 7.565 ms
4 ae13-0.cr01.chcg01-il.us.windstream.net (40.136.99.44) 4.673 ms 4.644 ms 4.600 ms
5 et8-0-0-0.cr02.dlls01-tx.us.windstream.net (40.128.10.135) 27.136 ms 27.099 ms 27.053 ms
6 xe0-2-3-0.cr02.dnvt01-co.us.windstream.net (40.136.97.125) 29.075 ms 28.381 ms 28.336 ms
7 xe3-3-1-0.pe03.dums01-tx.us.windstream.net (173.189.57.195) 46.121 ms 46.193 ms 46.148 ms
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 *^C

# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=248 time=43.2 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=248 time=43.9 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=248 time=42.8 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 42.892/43.344/43.915/0.489 ms

# nslookup
> server 1.1.1.1
Default server: 1.1.1.1
Address: 1.1.1.1#53
> google.com
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

Paul_Rolland · April 3, 2018, 6:22am

Hello,

So far we know about a few CPEs which answer for 1.1.1.1 themselves:

- Pace 5268
- Calix GigaCenter
- Various Cisco Wifi access points

If you know of others please send them my way so we can investigate.

It seems that in France, Orange's Livebox is also using 1.1.1.1 is some
way...

215 [6:20] rol@riri:~> traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
1 * * *
2 * * *
3 * * *
4 * * *

216 [6:20] rol@riri:~> ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.371 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.292 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1037ms
rtt min/avg/max/mdev = 0.292/0.331/0.371/0.043 ms

217 [6:20] rol@riri:~> traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
1 livebox.home (192.168.1.254) 0.268 ms 0.236 ms 0.263 ms
2 * * *
3 ae102-0.ncidf103.Puteaux.francetelecom.net (193.253.80.138) 1.724 ms 1.733 ms 1.793 ms
...

That IP address is definitely full of magic...

Paul

Marty_Strong · April 3, 2018, 6:37am

Orange France is known, they just didn’t tell us the exact reason.

They said that if you contact them, they’ll provide you with an official explanation.

Regards,
Marty Strong

bengelly · April 3, 2018, 7:55am

Still believe in santa ?

Good luck with that.

Best regards.

Alejandra_Moreno · April 3, 2018, 4:01pm

Great article!

Thanks for sharing

Stephen_Satchell · April 3, 2018, 5:34pm

(ah, the top-posting)

We go by the guidance of our vendors, and in this case the vendors are the one who made inappropriate use of Net 1. Many of them. So to put the onus on just Mr. Lockhart is plainly inappropriate.

"Fixing the blame" is not going to take us very far. We as a community need to "fix the problem" -- that road will lead to proper functioning of all of our networks.

Even the little ones.

Jeremy_L_Gaddis · April 3, 2018, 5:41pm

FWIW:

  $ dig @1.0.0.1 id.server. CH TXT
  [...]
  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 1536
  ;; QUESTION SECTION:
  ;id.server. CH TXT

  ;; ANSWER SECTION:
  id.server. 0 CH TXT "dtw01"
  [...]

Diadon · April 3, 2018, 6:36pm

Very interesting...

I just heard about this problem today from one of my friend’s who supports of the big SP network (Russia). He got complains from one of their peer. After short investigation he found that they blackholing 1.1.1.1.
When I asked him about the reasons, he can’t explain because as he said “it was there from the Big Bang times”.

BR, Andrey Slastenov

David_Hubbard · April 3, 2018, 7:20pm

I'm finding it unreachable from at least one Level 3 router. I'm seeing behavior which makes me suspect 1.1.1.1/32 has been incorrectly defined an interface IP on that device; one of our locations gets an immediate ping response for 1.1.1.1, and a traceroute of one hop, which is that first upstream hop. 1.0.0.1 is reachable like normal across several hops.

    1.1.1.1 not usable via Windstream peering in Chicago.

    # traceroute 1.1.1.1
    traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
    ...
      3 be4.agr01.chcg02-il.us.windstream.net (40.136.99.22) 5.158 ms
    5.116 ms 7.565 ms
      4 ae13-0.cr01.chcg01-il.us.windstream.net (40.136.99.44) 4.673 ms
    4.644 ms 4.600 ms
      5 et8-0-0-0.cr02.dlls01-tx.us.windstream.net (40.128.10.135) 27.136
    ms 27.099 ms 27.053 ms
      6 xe0-2-3-0.cr02.dnvt01-co.us.windstream.net (40.136.97.125) 29.075
    ms 28.381 ms 28.336 ms
      7 xe3-3-1-0.pe03.dums01-tx.us.windstream.net (173.189.57.195) 46.121
    ms 46.193 ms 46.148 ms
      8 * * *
      9 * * *
    10 * * *
    11 * * *
    12 * * *
    13 *^C

    # ping 1.1.1.1
    PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
    64 bytes from 1.1.1.1: icmp_seq=1 ttl=248 time=43.2 ms
    64 bytes from 1.1.1.1: icmp_seq=2 ttl=248 time=43.9 ms
    64 bytes from 1.1.1.1: icmp_seq=3 ttl=248 time=42.8 ms
    ^C
    --- 1.1.1.1 ping statistics ---
    3 packets transmitted, 3 received, 0% packet loss, time 2002ms
    rtt min/avg/max/mdev = 42.892/43.344/43.915/0.489 ms

    # nslookup
     > server 1.1.1.1
    Default server: 1.1.1.1
    Address: 1.1.1.1#53
     > google.com
    ;; connection timed out; trying next origin
    ;; connection timed out; no servers could be reached

Daniel_Dent · April 3, 2018, 8:39pm

On a Xerox Phaser 3635MFP printer running the latest firmware, when attempting to configure it to use 1.1.1.1 for DNS, it throws the following error: "The following Alternate DNS Server 1 addresses are not permitted: 1.1.1.1 and 255.255.255.255".

I suspect this was intended to prevent people from putting in an "invalid" placeholder, but the assumption that 1.1.1.1 would never be an actual DNS server that somebody might actually wish to use appears to have been unwise.

Daniel Dent

https://www.danieldent.com