Hello,

we have CISCO Umbrella configured as DNS defense on a few small customers. They do not have static IPs so we configured your free tplinkdns.org service. Unfortunately these domains from the outside cannot be resolved.

TPLINKDNS.org domains are only resolved from a few very specific, non-RFC2181 compliant providers who only rely on glue records (like Google) rather than basing their queries on authoritative data (much more secure, some of the providers being OpenDNS, Quad9 or Cloudflare).

The authorities for all *.tplinkdns.com domains are ns1.tplinkdns.com and ns2.tplinkdns.com. Their "glue" entries at global gtld servers are:

ns1.tplinkdns.com.  172800  IN  A   52.204.177.89

ns2.tplinkdns.com.  172800  IN  A   54.87.217.253

These delegate to two nameservers which:

• Provide records for ns1.tplinkdns.com with a different IP address than above, which is unresponsive to queries; 45.229.174.18.
• Fail to provide any records for ns2.tplinkdns.com, despite being delegated as authorities.

OpenDNS and other strict DNS hosts follow rfc 2181 and must provide higher ranking to these authoritative data over glue records, even though in this case it causes the delegation to dead-end. Further, RFC 1033 states "NS records for a domain exist in both the zone that delegates the domain, and in the domain itself".
 

So, the responsibility to correct this misconfiguration is of TPLINK, that is using an INSECURE CONFIGURATION which could theoretically allow attackers to perform any sorts of opportunistic attacks related to cache DNS poisoning.

This is a security issue that needs to be resolved in the shortest time possible.