Cannot have a host1 (a) > ip and hosts2 (cname) > host1

What is the name of the domain?

test.example.com

What is the error number?

81053

What is the error message?

An A, AAAA, or CNAME record with that host already exists

What is the issue you’re encountering

Cannot have a host1 (a) > ip and hosts2 (cname) > host1

What steps have you taken to resolve the issue?

I wanted to add my servers ips as multiple DNS records under allowed.ips.example.com then my servers can check these IPs and white\list them for certain internal services.
But while I have s1.example.com defined as an A record pointing to a certain IP, I see I cannot have a cname like allowed.ips.example.com pointing to s1.example.com it says:

An A, AAAA, or CNAME record with that host already exists. For more details, refer to https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/records-with-same-name/. (Code: 81053)

Is that limitation to avoid redirect loops ?

The reason I wanted that as cname is so I don’t need to edit it whenever that final IP changes, s1.example.com is kind of static. But for other IPs I can define multiple A records just fine under same allowed.ips.example.com.

There must be a way to make this work, something similar to registering another domain like ip-whitelist-mysite.com but that seems overkill, can this be done by changing DNS configuration for upper host ips.mysite.com ? Move that to another DNS provider maybe ?
I thought of using TXT records but their format is kind of harder to read, unreliable format, different size limits on different systems, that can cause big problems.
Is there any other DNS record type that can do this maybe ?

I’m not quite sure what you are trying to do without the real host names, but I think what you are asking is…

You can have…

s1 A 192.0.2.1
s1 A 192.0.2.2
s1 A 192.0.2.3
allowed.ips CNAME s1.example.com

You can’t have…

s1 A 192.0.2.1
s2 A 192.0.2.2
s3 A 192.0.2.3
allowed.ips CNAME s1.example.com
allowed.ips CNAME s2.example.com
allowed.ips CNAME s3.example.com

You can only have a CNAME for a subdomain when there isn’t already a CNAME, A, AAAA, etc. This is a DNS restriction, not a Cloudflare one.

(Note that allowed.ips is a second-level subdomain so isn’t covered by the Universal SSL certificate).

If I’ve not understood correctly, can you show a screenshot of your DNS records and what you are trying to add?

2 Likes

OK, I think I got it.
So I was trying to define many ips inside same DNS hostname my-whitelist.mysite.com so my servers scripts can just read this single dns record and get many ips to be white\listed, without me having to edit scripts on my servers whenever I change ips. I wanted to just edit this DNS record when needed to add IPs.

I was trying to do:

my normal website record:

s1.mysite.com A 123.123.123.123

trying to make a wh itelist:

my-whitelist.mysite.com A 234.234.234.234
my-whitelist.mysite.com A 222.222.222.222
my-whitelist.mysite.com CNAME s1.mysite.com <<< not working

So I guess I was trying to break some DNS standards there by having both A records and cnames under same host name my-whitelist.mysite.com.

Is another way to do this, no ? It would mean to include both cnames and A records under same exact host. Or to have multiple identical cnames pointing to different hosts.

I am guessing it would be something like round robin with cnames if I can call it that. Because with A records it works just fine to add different A values for same host. Which doesn’t fully make sense to me, why not allow multiple cnames too ?

IMPORTANT… Whenever I type this (in above posts and so):

whitelist

it is replaced into:

allowlist

I guess the forum is doing that ?! Very confusing and irritating ! :angry:

1 Like

Correct, see RFC1912.

2 Likes

doing this via DNS seems to be making it way more complicated than it needs to me.
Just have a txt file on your server with your IP addresses in it, and read from that file directly.

I thouhgt a lot about it, made tests and I ended up using DNS TXT records.

my-whitelist.mysite.com TXT = "s1.mysite.com" "123.123.123.0/16" "s2.mysite.com" "someserver.tld" "2001:0000:130F:0000:0000:09C0:876A:130B" "2001:0002::/48"

Considerations are:

  • over 10 servers need to read same data and allowlist 10-20 ips
  • if I do it by fetching a fixed URL on one of my sites, then that can be blocked or rate limitd by Cloudflare
  • fetching an url from domain hosted on same machine might return unexpected results
  • is risky to run server commands based on contents on remote url, mostly because the contents can be a server error and not a list of ips/hosts
  • also the list is mixed of ipv4, ipv4 classes, ipv6, ipv6 classes, hostnames, so is not easy to validate in case the remote list returned unexpected results or error(s)
  • overall DNS is a reliable source of information, a remote site can also be just offline in addition to returning error
  • from a standards point of view, SPF and other autentications are also done by DNS, which are somehow similar scenarios.

So the DNS txt works OK considering all that.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.