[dns-operations] Can Root DNS server modify the response?

Dave Warren dw at thedave.ca
Tue Mar 26 15:31:02 UTC 2019

On Mar 26, 2019, 03:36 -0600, Jeroen Massar <jeroen at massar.ch>, wrote:
> On 2019-03-26 04:06, Dave Warren wrote:
> > On 2019-03-23 16:32, SM wrote:
> > > Hello,
> > > At 07:09 PM 22-03-2019, solvepuzzle at secmail.pro wrote:
> > > > Now the E root and F root are Cloudflare's server, should I
> > > > change my DNS software to lookup other alphabet root server?
> > > >
> > > > Cloudflare's DNS service is censoring so using it as a root DNS
> > > > is really bad news.
> > >
> > > The above question is ambiguous as it might be about the Root Servers or a DNS recursive resolver (
> >
> > Is there any evidence of censorship on Cloudflare's resolver or root servers?
> Unless we get a leaker telling the truth..... one will never know, to easy to avoid any kind of monitoring of the results and SERVFAIL can be that you got censored or that well, there was a packet dropped and something was b0rked for a bit.
> While censorship is one part that could happen, the tracking of people/devices is another... and something can go mostly unnoticed as it is server-side.
> Noting that Mozilla with their firefox is clearly steering towards DoH, "as ISPs are not to be trusted" (but a big hoster with a bunch of criminal/DoS-booter websites is?) and they are per-default selecting a certain provider that is outside of non-US jurisdiction even though serving customers around the world...
> And now, they have added themselves in the mix of playing root server (with or without telemetry that mixes into other 'products').
> Commercialization of the Internet is the question there... at least your local (sometimes monopolistic) ISP is the one you pay, but in the case of this situation you do not have any actual agreement with them...
> The fun of the worlds....
> In the end: unless one is there and actually has typed the command, outsiders will never know what really happens with the queries unfortunately.
> Thus even what I type above is purely FUD in a way, as I cannot know.
> Would be really cool if we had a framework that gave us some kind of assurance though.

tl;dr: there is no evidence or even hint that Cloudflare is actively censoring anything on either their public resolver or root servers?

Cloudflare claims they don’t censor/alter/modify responses, they have performed well and reliably in my own testing. Detecting censorship at the DNS level isn’t especially difficult for any user who has access to other DNS servers and at the root level such can be proven by way of DNSSEC.

Sure, a single SERVFAIL could be transient or intentional, but you can simply try again until you build up some evidence. I’m aware of one domain which does not resolve on and has no obvious technical reason why not, it was reported to Cloudflare and they report that the authoritative servers are simply not answering queries from their IP space. As the owner/operator of the site seemed to have no interest in fixing the issue I can only conclude that Cloudflare is correct in their diagnosis. This is the only case where I have seen Cloudflare fail to resolve a domain for anything other than obvious technical issues which I can reproduce from my own resolver.

I share your concerns about too much centralization and the potential for data collection for commercialization, but that is another topic entirely from outright censorship, and from a end-user-facing public resolver standpoint I’m happy to see more competition rather than less in this space.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dns-oarc.net/pipermail/dns-operations/attachments/20190326/b459f088/attachment.html>

More information about the dns-operations mailing list