[dns-operations] Oddness with Cloudfare authoritative servers

Warren Kumari warren at kumari.net
Thu Sep 23 00:13:57 UTC 2021


Oh, testing now gives a different / working result:

$ curl -v https://www.deltamath.com --connect-to deltamath.com:443:172.64.80.1
2>&1 | grep "HTTP/2 200"

So, looks like the issue is likely resolved.
W

On Wed, Sep 22, 2021 at 7:49 PM Warren Kumari <warren at kumari.net> wrote:

>
>
> On Wed, Sep 22, 2021 at 7:26 PM Adam David <adam.vallee at gmail.com> wrote:
>
>> This does not seem to be a DNS resolution/misconfiguration issue on
>> Cloudflare's end.
>>
>> https://172.64.80.1/ provides an error message (as it should) indicating
>> it is a CloudFlare IP. If you can't see that in a web browser, then the
>> issue is local to your network.
>>
>
> Yes, 172.64.80.1 is a CF address, but it was being returned for
> deltamath.com.
> Doing a GET / over TLS with the host set to deltamath.com  was giving a
> 403 Forbidden:
> HTTP/1.1 403 Forbidden
> Server: cloudflare
> Date: Wed, 22 Sep 2021 18:44:15 GMT
> Content-Type: text/html
> Content-Length: 151
> Connection: keep-alive
> CF-RAY: 692daefc1ffd542b-YYZ
>
> <html>
> <head><title>403 Forbidden</title></head>
> <body>
> <center><h1>403 Forbidden</h1></center>
> <hr><center>cloudflare</center>
> </body>
> </html>
>
> The other address handed out all worked fine.
> So:
> 1: it is a DNS issue and they shouldn’t have handed out that address for
> that name or
> 2: that machine was borked.
>
> W
>
>
>
>
>
>
>> The main causes that I gather would be:
>>
>> 1. There was a temporary cache propagation issue on CF's network. (Still
>> not a DNS issue.)
>> 2. Your IT department is using 172.0.0.0/9 or possibly even 172.0.0.0/8
>> where they intended to use 172.16.0.0/12 (RFC1918 IP space). This would
>> block access to the netblock belonging to Cloudflare and you would have
>> difficulty accessing thousands of websites.
>>                                  Side Note: 172.64.0.0/13 belongs
>> to AS13335.
>>
>> You should always start with your IT department.
>> If you are a Cloudflare customer, contact them directly.
>> If you are a DeltaMath customer, then you need to contact them directly.
>>
>> Sincerely,
>>
>> Adam Vallee
>>
>>
>>
>> On Wed, Sep 22, 2021 at 4:03 PM Brown, William <wbrown at e1b.org> wrote:
>>
>>> From: dns-operations <dns-operations-bounces at dns-oarc.net> On Behalf Of
>>> Erik Stian Tefre
>>> Sent: Wednesday, September 22, 2021 3:38 PM
>>> To: dns-operations at lists.dns-oarc.net
>>> Subject: Re: [dns-operations] Oddness with Cloudfare authoritative
>>> servers
>>>
>>> > Possibly not a DNS issue at all, but something like this:
>>>
>>> > https://community.cloudflare.com/t/revil-ransomware/301435
>>>
>>> > (Executive summary: One Cloudflare IP being blocked by a firewall
>>> because of a different and misbehaving Cloudflare customer who happened to
>>> serve malicious content from that same IP.)
>>>
>>> > Regards,
>>> > Erik
>>>
>>> Interesting.  The real issue I am experiencing is that I am getting
>>> inconsistent responses from nominally the same authoritative server.  It
>>> just so happens that when we get 172.64.80.1 as the answer it fails.  I
>>> would prefer to get the correct answer so students can use the online
>>> educational resource the district is paying for.
>>> Confidentiality Notice: This electronic message and any attachments may
>>> contain confidential or privileged information, and is intended only for
>>> the individual or entity identified above as the addressee. If you are not
>>> the addressee (or the employee or agent responsible to deliver it to the
>>> addressee), or if this message has been addressed to you in error, you are
>>> hereby notified that you may not copy, forward, disclose or use any part of
>>> this message or any attachments. Please notify the sender immediately by
>>> return e-mail or telephone and delete this message from your system.
>>>
>>> _______________________________________________
>>> dns-operations mailing list
>>> dns-operations at lists.dns-oarc.net
>>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>>
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>>
> --
> Perhaps they really do strive for incomprehensibility in their specs.
> After all, when the liturgy was in Latin, the laity knew their place.
> -- Michael Padlipsky
>


-- 
The computing scientist’s main challenge is not to get confused by the
complexities of his own making.
  -- E. W. Dijkstra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210922/58f411db/attachment-0001.html>


More information about the dns-operations mailing list