[dns-operations] Oddness with Cloudfare authoritative servers

Warren Kumari warren at kumari.net
Wed Sep 22 23:42:16 UTC 2021 

On Wed, Sep 22, 2021 at 7:38 PM Ethan Katz-Bassett <ebk2141 at columbia.edu>
wrote:

> Cloudflare in particular is experimenting with returning different IP
> addresses to different queries for all kinds of reasons:
> https://mislove.org/publications/IP-Unbound-SIGCOMM.pdf
>

Yup — but in this case, at least one of the addresses that they returned
gave a 403 Error when connecting and trying to fetch /.

Giving out different addresses is fine, but they should all work :-)

W



>
>
> On Wed, Sep 22, 2021 at 1:29 PM Warren Kumari <warren at kumari.net> wrote:
>
>>
>>
>> On Wed, Sep 22, 2021 at 1:01 PM Brown, William <wbrown at e1b.org> wrote:
>>
>>> We have a school district that is trying to resolve the domain
>>> deltamath.com.  This issue is impacting the classroom use of this
>>> service.
>>>
>>>
>>>
>>> The authoritative servers are tani.ns.cloudflare.com and
>>> jarred.ns.cloudfare.com.  Tani seems to work correctly.  Jarred
>>> however, will return two different results:
>>>
>>>
>>>
>>> Here are the results of four tries within a few seconds:
>>>
>>>
>>>
>>> [wbrown at ns3 ~]$ dig @jarred.ns.cloudflare.com deltamath.com +short
>>>
>>> 172.67.75.10
>>>
>>> 104.26.2.229
>>>
>>> 104.26.3.229
>>>
>>> [wbrown at ns3 ~]$ dig @jarred.ns.cloudflare.com deltamath.com +short
>>>
>>> 104.26.2.229
>>>
>>> 104.26.3.229
>>>
>>> 172.67.75.10
>>>
>>> [wbrown at ns3 ~]$ dig @jarred.ns.cloudflare.com deltamath.com +short
>>>
>>> 172.67.75.10
>>>
>>> 104.26.3.229
>>>
>>> 104.26.2.229
>>>
>>> [wbrown at ns3 ~]$ dig @jarred.ns.cloudflare.com deltamath.com +short
>>>
>>> 172.64.80.1
>>>
>>>
>>>
>>> Is anyone from Cloudflare of the list that can assist with resolving
>>> this?  Anyone have a contact at Cloudflare they can share to get this
>>> resolved for the school district?
>>>
>>
>> I don't really see the problem here -- all of the addresses returned seem
>> to be valid CloudFlare addresses, and (I think) that all of them are
>> answering correctly for deltamath.com.
>> Nameservers routinely answer with different answers to split the load
>> between different VIPS, provide answers which they think are "better" for
>> specific queriers, etc. As long as the servers returned are behaving
>> correctly, CF can return basically whatever they like.
>>
>> Of course, it's entirely possible/likely that I completely misunderstood
>> the issue/question.
>> W
>>
>>
>>
>>
>>
>>>
>>>
>>> --
>>>
>>> William Brown
>>>
>>> WNYRIC/Erie 1 BOCES
>>>
>>> 716-821-7285
>>>
>>>
>>>
>>> SharePoint, Eforms, Email, Spam Filtering Please reach out to
>>> messaging at e1b.org
>>>
>>> Immediate Needs Call our Service Desk at 716-821-7171
>>>
>>>
>>> Confidentiality Notice: This electronic message and any attachments may
>>> contain confidential or privileged information, and is intended only for
>>> the individual or entity identified above as the addressee. If you are not
>>> the addressee (or the employee or agent responsible to deliver it to the
>>> addressee), or if this message has been addressed to you in error, you are
>>> hereby notified that you may not copy, forward, disclose or use any part of
>>> this message or any attachments. Please notify the sender immediately by
>>> return e-mail or telephone and delete this message from your system.
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>>
>>
>>
>> --
>> The computing scientist’s main challenge is not to get confused by the
>> complexities of his own making.
>>   -- E. W. Dijkstra
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
>
>
> --
> http://www.columbia.edu/~ebk2141/
>
-- 
Perhaps they really do strive for incomprehensibility in their specs.
After all, when the liturgy was in Latin, the laity knew their place.
-- Michael Padlipsky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210922/594a62af/attachment.html>

More information about the dns-operations mailing list