CD
Cloudflare Developers3w ago
shirtgpt

DNS Resolution Issue (Public Resolver 1.1.1.1)

I’m noticing that Cloudflare’s public DNS (1.1.1.1 / 1.0.0.1) consistently fails to resolve domains under the .ac.ke TLD (Kenyan academic domains). This seems to affect all .ac.ke domains, two of my friends from different networks have reproduced it as well. I don’t represent jkuat.ac.ke, but I’m reporting this since it appears to be a regional DNS resolution issue that might be specific to Cloudflare’s resolver. https://one.one.one.one/help/#eyJpc0NmIjoiWWVzIiwiaXNEb3QiOiJObyIsImlzRG9oIjoiTm8iLCJyZXNvbHZlcklwLTEuMS4xLjEiOiJZZXMiLCJyZXNvbHZlcklwLTEuMC4wLjEiOiJZZXMiLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMTExIjoiTm8iLCJyZXNvbHZlcklwLTI2MDY6NDcwMDo0NzAwOjoxMDAxIjoiTm8iLCJkYXRhY2VudGVyTG9jYXRpb24iOiJOQk8iLCJpc1dhcnAiOiJObyIsImlzcE5hbWUiOiJDbG91ZGZsYXJlLCBJbmMuIiwiaXNwQXNuIjoiMTMzMzUifQ==
1.1.1.1 — One of the Internet’s Fastest, Privacy-First DNS Reso...
✌️✌️ Browse a faster, more private internet.
No description
7 Replies
Non
Non3w ago
I can resolve it well with Cloudflare DNS. I guess your network MITM your DNS request and somehow drop it? Let's try DoH/DoT first. dig +https @1.1.1.1 jkuat.ac.ke
shirtgpt
shirtgptOP2d ago
; <<>> DiG 9.18.41 <<>> +https @1.1.1.1 jkuat.ac.ke
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33755
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (at delegation jkuat.ac.ke.)
;; QUESTION SECTION:
;jkuat.ac.ke.                   IN      A

;; Query time: 4023 msec
;; SERVER: 1.1.1.1#443(1.1.1.1) (HTTPS)
;; WHEN: Sun Nov 16 10:02:26 EAT 2025
;; MSG SIZE  rcvd: 72
; <<>> DiG 9.18.41 <<>> +https @1.1.1.1 jkuat.ac.ke
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 33755
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; EDE: 22 (No Reachable Authority): (at delegation jkuat.ac.ke.)
;; QUESTION SECTION:
;jkuat.ac.ke.                   IN      A

;; Query time: 4023 msec
;; SERVER: 1.1.1.1#443(1.1.1.1) (HTTPS)
;; WHEN: Sun Nov 16 10:02:26 EAT 2025
;; MSG SIZE  rcvd: 72
shirtgpt
shirtgptOP2d ago
No description
No description
shirtgpt
shirtgptOP2d ago
This is a different ISP with the same result.
DarkDeviL
DarkDeviL2d ago
[...] consistently fails to resolve domains under the .ac.ke TLD (Kenyan academic domains).
It doesn't seem that odd, I just did a quick Google for "site:ac.ke", and literally speaking, selecting a somewhat random number of ".ac.ke" domains, they were all using the these three name servers: 
ns1.kenet.or.ke
ns2.kenet.or.ke
ns3.kenet.or.ke
ns1.kenet.or.ke
ns2.kenet.or.ke
ns3.kenet.or.ke
Somewhat random: Choosing one domain, then skipping a few, choosing another one, .. and so forth. The extended DNS error code you see, e.g.: 
; EDE: 22 (No Reachable Authority): (at delegation jkuat.ac.ke.)
; EDE: 22 (No Reachable Authority): (at delegation jkuat.ac.ke.)
is referring to the fact that Cloudflare were not able to reach (any of) the name servers: 
ns1.kenet.or.ke
ns2.kenet.or.ke
ns3.kenet.or.ke
ns1.kenet.or.ke
ns2.kenet.or.ke
ns3.kenet.or.ke
shirtgpt
shirtgptOP2d ago
I don't know if this might be the issue According to DNSViz, https://dnsviz.net/d/jkuat.ac.ke/dnssec/ : ke zone: The server(s) were not responsive to queries over TCP. See RFC 1035, Sec. 4.2. (196.1.4.130)
DarkDeviL
DarkDeviL2d ago
It seems quite consistent, that in some countries, you're getting that specific EDE error code. Where as in other countries, it seems quite inconsistent (e.g. random), whether it works or not. It looks to me that kenet.or.ke, ... either: 1. Is rate limiting DNS queries to their authoritative servers (from Cloudflare), which is dropping the DNS queries. 2. Cannot cope with the load that their authoritative DNS servers receive (i.e. some sort of "congestion", so that their DNS servers aren't able to respond in time). I find it strange, when people are calling out DNSSEC issues on domains, where DNSSEC isn't enabled, but that may just be me. But for the other part, yes, it will be something that needs to be fixed on kenet.or.ke's end.

Did you find this page helpful?