Add Names in Cloudflare's DNS for 1.1.1.2, 1.0.0.2, 1.1.1.3, 1.0.0.3

mshop · April 6, 2023, 5:49pm

Cloudflare provides “family shields” for DNS servers that block malicious and adult content. However, the names for the IP addresses are not entered in Cloudflare’s DNS which makes TLS verification/usage impossible.

I would suggest using the names one.one.one.two for 1.1.1.2 and 1.0.0.2; and one.one.one.three for 1.1.1.3 and 1.0.0.3.

This follows the current scheme of the name one.one.one.one for 1.1.1.1 and 1.0.0.1.

albert · April 6, 2023, 6:52pm

You can the following domains:

security.cloudflare-dns.com for 1.1.1.2 and 1.0.0.2
family.cloudflare-dns.com for 1.1.1.3 and 1.0.0.3

These hostnames comply with the DNS-over-TLS and DNS-over-HTTPS standards. You can find more details in Cloudflare’s documentation for 1.1.1.1 for Families.

Unfortunately, this won’t be possible since .two and .three are not registered TLDs.

mshop · April 6, 2023, 7:44pm

The names you show do resolve to the correct IP addresses. However, when using NSLOOKUP on the IP addresses, I get NXDOMAIN.

Cloudflare must be missing the PTR records.

(Attachment DEFAULT.BMP is missing)

mshop · April 6, 2023, 8:03pm

My last reply was via an e-mail but the e-mail does not show up in this forum.

The e-mail stated that the names are in Cloudflare’s DNS as follows:

security.cloudflare-dns.com for 1.1.1.2 and 1.0.0.2
family.cloudflare-dns.com for 1.1.1.3 and 1.0.0.3

Using NSLOOKUP, these names do resolve to the correct IP addresses. However, running NSLOOKUP on the IP addresses produces NXDOMAIN.

The PTR records evidently do not exist.

albert · April 6, 2023, 8:05pm

Missing PTR records should not prevent you from using DoT?

Fisheries · April 8, 2023, 9:51am

In addition to the other correct responses here,

the names for the IP addresses are not entered in Cloudflare’s DNS which makes TLS verification/usage impossible.

This is incorrect (in bold). If supported by the client, A TLS connection can absolutely be established with only the public IP address (no hostname) when it is a Subject Alt Name (SAN) in a certificate issued by an authority that allows this, like in the certs for 1.1.1.1/2/3. You can verify this with a DoH query (but this also applies to DoT) like the following:

curl -v -H "accept: application/dns-json" "https://1.1.1.2/dns-query?name=cloudflare.com"

mshop · April 8, 2023, 12:09pm

Why doesn’t Cloudflare have PTRs associated with 1.1.1.2, 1.0.0.2, 1.1.1.3, and 1.0.0.3?

Fisheries · April 8, 2023, 1:05pm

Because they chose not to implement certain records for the filtered DNS services, just like the HTTPS/SVCB records.

If you have a valid use case that is not achievable by other means, then feel free to make your case to Cloudflare.

system · May 8, 2023, 1:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.