DNS Resolution Failure: How a 1.1.1.1 Update Accidentally Broke CNAME Record Ordering
By
linolevan
Pure flour-power. Hearty enough to carry you through lunch.
Summary
A technical incident analysis where a routine update to Cloudflare's 1.1.1.1 DNS resolver on January 8, 2026, accidentally altered the order of CNAME records in DNS responses, causing resolution failures for some clients. The issue stemmed from certain DNS implementations expecting CNAME records to appear before all other records, despite most modern software treating record order as irrelevant. The article explores the technical root cause, examines affected resolver source code, and discusses ambiguities in DNS RFC specifications.
Key quotes
· 5 pulledWhile most modern software treats the order of records in DNS responses as irrelevant, we discovered that some implementations expect CNAME records to appear before everything else.
The root cause wasn't an attack or an outage, but a subtle shift in the order of records within our DNS responses.
This post explores the code change that caused the shift, why some implementations expect CNAME records to appear before everything else.
A recent change to 1.1.1.1 accidentally altered the order of CNAME records in DNS responses, breaking resolution for some clients.
This post explores the technical root cause, examines the source code of affected resolvers, and dives into the inherent ambiguities of the DNS RFCs.
You might also wanna read
Understanding DNS LOC Records: A Rarely Used DNS Feature for Specifying Physical Locations
The article discusses DNS LOC (location) records, a little-used type of DNS record that allows specifying physical locations. It explains th
blog.cloudflare.com·6mo ago
Technical Guide to .arpa Zone Delegation and ICMP Protocol Hacks
The article details the author's experience obtaining delegated control over their own ip6.arpa zone for their IPv6 range, which is typicall
sdomi.pl·7mo ago
Understanding DNS TXT Record Size Limits: UDP vs TCP Protocol Differences
This technical article explores the practical limits of DNS TXT records, explaining that while many sources incorrectly state a 255-byte lim
dgl.cx·8mo ago
BGP Lab Project Expanded to Include Full IPv6 Feed
The author extends their BGP lab project to support full IPv6 feeds, following requests from readers who previously received IPv4 BGP feeds.
lukasz.bromirski.net·2d ago
Whosthere: A Go-based LAN discovery tool with interactive TUI for unprivileged network scanning
Whosthere is a Go-based Local Area Network (LAN) discovery tool with an interactive Terminal User Interface (TUI). It performs unprivileged,
Product Hunt·10d ago
Investigating Intermittent ECONNRESET Errors in Local TCP Connections (Part 1)
A technical blog post investigating mysterious ECONNRESET errors occurring between two services communicating over TCP on the same machine.