[dns-operations] Oddness with Cloudfare authoritative servers

Peter van Dijk peter.van.dijk at powerdns.com
Thu Sep 23 13:25:00 UTC 2021

On Wed, 2021-09-22 at 20:13 -0400, Warren Kumari wrote:
> Oh, testing now gives a different / working result:
> $ curl -v https://www.deltamath.com --connect-to deltamath.com:443: 2>&1 | grep "HTTP/2 200"

This one sends a Server Name Indication of www.deltamath.com (like with
'openssl s_client -connect -servername deltapath.com').

> > Yes, is a CF address, but it was being returned for deltamath.com.
> > Doing a GET / over TLS with the host set to deltamath.com  was giving a 403 Forbidden:
> > HTTP/1.1 403 Forbidden

This one is reproducible by not sending an SNI (like with 'openssl
s_client -connect').

As far as I can tell -right now-, the IP is entirely valid for the
site, as long as the client sends the correct SNI and Host header
(which web browsers do!).

Kind regards,
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/

More information about the dns-operations mailing list