• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 93
  • Last Modified:

Error in adding 1.1.1.1 in DNS Forwarders tab

DNS ForwarderExisting DNS Root HintsHi,

  I heard good thing about using 1.1.1.1 in DNS server. Please see the article: https://blog.cloudflare.com/announcing-1111/
 So I wanted to use it in SBS2011 DNS manager, but I run into an error when I plug it in.
 In the past, I have not entered any DNS here in Forwarders tab so that it uses root hints.
 Has anyone using 1.1.1.1 in forwarder tab in SBS2011?
 Do you know why it is not accepting this IP address?
 Should I add 1.1.1.1 in the Root Hints tab and move it to the top of the list?

Thanks.
0
sglee
Asked:
sglee
  • 4
  • 3
  • 2
2 Solutions
 
MaheshArchitectCommented:
its not working at my server as well

I am unable to telnet it on tcp 53 neither he is able to resolve any public records

Until you are able to telnet it on 53, not of use, what is happening at your end is expected
0
 
sgleeAuthor Commented:
I see. I tried to telnet into 8.8.8.8, 8.8.4.4 198.41.0.4 ... they all respond.
But 1.1.1.1 did not respond.

Thanks for the information.
0
 
nociSoftware EngineerCommented:
DNS is not normaly meant to run on TCP (telnet is TCP)  that is used only for exceptional large transfers..., like zone transfers between master & slave. So you need to query using UDP...
Two tools for this: nslookup (although that also tends to look in the hosts file).
and dig (domain internet groper) is only talks with DNS servers.
On normal operating DNS servers TELNET SHOULD FAIL (except between Masters & Slaves).... (within AD it can be different IDK).

so the right question is does 1.1.1.1 asnwer queries...
first what does traceroute show...:   (ie. is there a possible path to 1.1.1.1)
1.1.1.1 does answer ping requests.

so the next should work:
dig google.com @1.1.1.1

Open in new window

or this
nslookup
lserver 1.1.1.1
google.com

Open in new window

1
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
sgleeAuthor Commented:
@noci,

 So what are you saying? Why DNS manager generated an error when I entered 1.1.1.1?
0
 
nociSoftware EngineerCommented:
I do get answers:
$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=59 time=7.10 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=59 time=8.22 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 7.101/7.662/8.224/0.568 ms
$ nslookup
> lserver 1.1.1.1
Default server: 1.1.1.1
Address: 1.1.1.1#53
> google.com
Server:         1.1.1.1
Address:        1.1.1.1#53

Non-authoritative answer:
Name:   google.com
Address: 172.217.20.78
Name:   google.com
Address: 2a00:1450:400e:80a::200e
> 
$ dig  dig google.com @1.1.1.1

; <<>> DiG 9.11.2-P1 <<>> google.com @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39378
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             162     IN      A       172.217.20.78

;; Query time: 8 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: do apr 12 21:27:29 CEST 2018
;; MSG SIZE  rcvd: 55

Open in new window

0
 
sgleeAuthor Commented:
I do get replies too.
Pinging 1.1.1.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=1ms TTL=255
Reply from 1.1.1.1: bytes=32 time=2ms TTL=255
Reply from 1.1.1.1: bytes=32 time=2ms TTL=255
Reply from 1.1.1.1: bytes=32 time=2ms TTL=255

But why doesn't DNS manager find it?
0
 
nociSoftware EngineerCommented:
can you do a dig or nslookup?.... that are DNS query & check tools they do legitimate DNS queries and present the answers.
Dig is best for this.  And traceroute does it show where it goes you will need need
traceroute  -I 1.1.1.1

Open in new window

 on linux systems,  and
tracert 1.1.1.1

Open in new window

on windows.
1.1.1.1 has been used on some sites like well nobody in the world uses it and i need a dummy so lets pick one... 1.. 1.1.1....
1 ms. is ULTRA short..., like you are sitting IN the DNS server.... for fast network links times should be in 10's of ms.
0
 
MaheshArchitectCommented:
it is possible that 1.1.1.1 is responsive from specific locations and not all locations like google dns

I already tried with nslookup (not just telnet) and it all queries timed out after setting up default name server as 1.1.1.1

Having said that, if this server is not working for OP region, he can't use that

successful ping is not measure of dns is working
0
 
nociSoftware EngineerCommented:
Agreed,
I am  4 hops away from nearest 1.1.1.1 instance.. ping time is 6-8 ms on a  link is 100Mbps and it is about 30-50 Km from where i am.
so 1ms implies a much faster link than that or less hops.
On a localhost it would be <0.1 ms though.  or 1 hop on 2Gbps = <0.5 ms.  (<20m).

Some additional info
ping 100Km, ADSL link 6 hops = ~10ms.

Then there is the TTL... here 255...  TTL start from 255 (Some systems) or 128 (others) or 64 (mostly)
every router subtracts one .... so 255 means NEXT hop is endpoint
ping can tell how the packets traveled...
Windows:  ping -r 9 1.1.1.1
Linux: ping -R 1.1.1.1
(Not all system may honour this)...

I still think this 1.1.1.1 is a pseudo interface on the Internet gateways or router used as default gateway.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now