www.hblibank.com.pk appears to be a CNAME for cw4pg.x.incapdns.net, for which I got three different addresses
45.60.57.67
149.126.201.194
199.83.128.67
I cant tell which of these addresses is correct, but to me it seems the issue is not with hblibank.com.pk in this case but rather with the configuration of incapdns.net.
One interesting bit, however, is Cloudflare does not seem to recognise the address as CNAME but as a straight A record @cs-cf, @mnordhoff?
Looks to me HBL bank is using incapsula to protect their website, but Cloudflare is unable to make out that it needs to take users to the correct https://www.hblibank.com.pk/Login - not some non-SSL site.
It was timing out a few weeks ago (when using CF DNS). This is the reason, I’m not switching over to 1.1.1.1 - and sticking to Google DNS.
Don’t know who needs to fix this - Incapsula or Cloudflare.
Under the theory of “Garbage In, Garbage Out”, I don’t really blame anyone for handling it in any particular way, and I don’t know what the standards say, but maybe 1.1.1.1 should be aligned with those other resolvers.
This is the problem. It seems only Cloudflare has a problem of not being able to handle it. Others in the business (Google, OpenDNS etc.) can all manage it correctly. And, this makes it even more bizarre.
HBL is the largest bank in Pakistan with millions of customers and over $50 Billion in assets. Anyone using Cloudflare DNS and HBL would now be scratching their heads, and probably moving back to ISP’s DNS or Google DNS.
Ohh, for eff’s sake, I still cant properly read a dig output. I completely missed the bit where it returned two records - I think I thought that output was the resolved CNAME
That might be true, but that does not change the fact that “Pakistan’s largest bank with millions of customers” cant get their DNS settings right. The issue here is with that bank and not Cloudflare.
Cloudflare DNS can at least look into why other DNS resolvers work, but CF doesn’t.
HBL’s DNS are setup the wrong way, but the problem is not global. CF just wiping its slate clean won’t help those who want to use your DNS service. Passing on the ball around doesn’t win games.
But, then the atmosphere of this thread is condescending, and it would be like beating a dead horse.
I have emailed [email protected] - may be they’ll look into it. That was the only email address I could find that would probably hit their tech department without being tossed around the office.
This looks like it’s going to be a perpetual issue with the way CF DNS operates, and that this may never be resolved. But, Justin Justin Bieber says to never say never, so yeah?!
See the links posted by myself and @Judge. This is an issue with the bank and as every day passes, will become inaccessible as other services move towards new standards and securing DNS. Google just announced it will be doing so soon and suspect OpenDNS won’t be far behind either.
I don’t find it condescending. I find it to be an act of frustration in dealing with someone else’s mistakes. Someone configures something incorrectly, but it works. As others clean up their act, this misconfiguration comes to light and they (not you, but the organization with the misconfiguration) get all bent out of shape because it no longer works.
Same thing happened with 1.1.1.1, which was misappropriated by many hardware vendors. Now people get mad at Cloudflare because they can’t reach 1.1.1.1.