[dns-operations] Oddness with Cloudfare authoritative servers

Peter van Dijk peter.van.dijk at powerdns.com
Thu Sep 23 13:25:00 UTC 2021


On Wed, 2021-09-22 at 20:13 -0400, Warren Kumari wrote:
> Oh, testing now gives a different / working result:
> 
> $ curl -v https://www.deltamath.com --connect-to deltamath.com:443:172.64.80.1 2>&1 | grep "HTTP/2 200"
> 

This one sends a Server Name Indication of www.deltamath.com (like with
'openssl s_client -connect 172.64.80.1:443 -servername deltapath.com').

> 
> > Yes, 172.64.80.1 is a CF address, but it was being returned for deltamath.com.
> > Doing a GET / over TLS with the host set to deltamath.com  was giving a 403 Forbidden:
> > HTTP/1.1 403 Forbidden

This one is reproducible by not sending an SNI (like with 'openssl
s_client -connect 172.64.80.1:443').

As far as I can tell -right now-, the IP is entirely valid for the
site, as long as the client sends the correct SNI and Host header
(which web browsers do!).

Kind regards,
-- 
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/



More information about the dns-operations mailing list