Ns1.desec.io cannot ping successfully in some areas of China

ns1.desec.io cannot ping successfully in some areas of China (error:timeout)
use this tool to test: ns1.desec.io_在线ping_多地ping_多线路ping_持续ping_网络延迟测试_服务器延迟测试
here are full test datas

Hi cjydev,

Thanks for your message, and welcome to deSEC! :slight_smile:

Unfortunately, we have no influence over Internet routing in China. It may be best to get in touch with your local ISP and make them aware of these routing issues.

Stay secure,
Peter

But ns2.desec.org (157.53.224.1) can respond to success in China. So can according to the analytical DNS IP, only to return to 157.53.224.1 in China?

Good point. We’ll take it up with our datacenter provider. I’ll let you know once I know more.

Thanks,
Peter

Hi,

Here is some new info from tests performed together with our datacenter:

Here, you can see a Chinese host performing a ping, but it seems to fail. (I hope I’m reading this correctly.)

However, only a few seconds apart, we attempted a traceroute (MTR) to the same host, which succeded:

The last step of this traceroute is a connection from the Chinese machine to ns1.desec.io, and a response is received.

From this, one can conclude several things:

  • At least for this host, routing seems to be okay. (If routing is wrong, traceroute does not work.)
  • There must be a different reason for the ping failure. Unfortunately, this can only be investigated within the network in China, so we can’t say more about it.
  • The host in our example shows a successful ping in your screenshot (280ms). In our test, the ping failed. This means that the problem is time-dependent.

In short, it seems like there is a glitch within the Chinese network and/or the test tool that makes it difficult to debug the issue. I am not excluding the possibility of a problem with our network per se; I’m only saying that the test tool at itdog.cn does not produce reliable results, so it is not helpful for debugging.

If you find a reliable way of reproducing the issue, please let us know. We are also happy to talk directly to your provider’s network team if you can provide a contact.

Thanks,
Peter

It seems that desec’s network uses anycast.It allows different servers using same ip.When a dns query comes,the cloest server will first response to reduce query time.So it may help to add servers located in CN or HK,TW,MA to your anycast network.
Best regards,
cjydev