[dns-operations] Oddness with Cloudfare authoritative servers
Peter van Dijk
peter.van.dijk at powerdns.com
Thu Sep 23 13:25:00 UTC 2021
On Wed, 2021-09-22 at 20:13 -0400, Warren Kumari wrote:
> Oh, testing now gives a different / working result:
>
> $ curl -v https://www.deltamath.com --connect-to deltamath.com:443:172.64.80.1 2>&1 | grep "HTTP/2 200"
>
This one sends a Server Name Indication of www.deltamath.com (like with
'openssl s_client -connect 172.64.80.1:443 -servername deltapath.com').
>
> > Yes, 172.64.80.1 is a CF address, but it was being returned for deltamath.com.
> > Doing a GET / over TLS with the host set to deltamath.com was giving a 403 Forbidden:
> > HTTP/1.1 403 Forbidden
This one is reproducible by not sending an SNI (like with 'openssl
s_client -connect 172.64.80.1:443').
As far as I can tell -right now-, the IP is entirely valid for the
site, as long as the client sends the correct SNI and Host header
(which web browsers do!).
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
More information about the dns-operations
mailing list