[dns-operations] Oddness with Cloudfare authoritative servers

Erik Stian Tefre erik at tefre.com
Wed Sep 22 19:37:47 UTC 2021


On 2021-09-22 19:28, Warren Kumari wrote:
> On Wed, Sep 22, 2021 at 1:01 PM Brown, William <wbrown at e1b.org> wrote:
>> We have a school district that is trying to resolve the domain
>> deltamath.com [1].  This issue is impacting the classroom use of
>> this service.
>> 
>> The authoritative servers are tani.ns.cloudflare.com [2] and
>> jarred.ns.cloudfare.com [3].  Tani seems to work correctly.  Jarred
>> however, will return two different results:
>> 
>> Here are the results of four tries within a few seconds:
>> 
>> [wbrown at ns3 ~]$ dig @jarred.ns.cloudflare.com [4] deltamath.com [1]
>> +short
>> 172.67.75.10
>> 104.26.2.229
>> 104.26.3.229
>> 
>> [wbrown at ns3 ~]$ dig @jarred.ns.cloudflare.com [4] deltamath.com [1]
>> +short
>> 104.26.2.229
>> 104.26.3.229
>> 172.67.75.10
>> 
>> [wbrown at ns3 ~]$ dig @jarred.ns.cloudflare.com [4] deltamath.com [1]
>> +short
>> 172.67.75.10
>> 104.26.3.229
>> 104.26.2.229
>> 
>> [wbrown at ns3 ~]$ dig @jarred.ns.cloudflare.com [4] deltamath.com [1]
>> +short
>> 172.64.80.1
>> 
>> Is anyone from Cloudflare of the list that can assist with resolving
>> this?  Anyone have a contact at Cloudflare they can share to get
>> this resolved for the school district?
> 
> I don't really see the problem here -- all of the addresses returned
> seem to be valid CloudFlare addresses, and (I think) that all of them
> are answering correctly for deltamath.com [1].
> Nameservers routinely answer with different answers to split the load
> between different VIPS, provide answers which they think are "better"
> for specific queriers, etc. As long as the servers returned are
> behaving correctly, CF can return basically whatever they like.
> 
> Of course, it's entirely possible/likely that I completely
> misunderstood the issue/question.
> W

Possibly not a DNS issue at all, but something like this:

https://community.cloudflare.com/t/revil-ransomware/301435

(Executive summary: One Cloudflare IP being blocked by a firewall 
because of a different and misbehaving Cloudflare customer who happened 
to serve malicious content from that same IP.)

Regards,
Erik


More information about the dns-operations mailing list