Cloudflare for Teams first setup issues

Testing it from home with my iMac. Set up DNS to 172.64.36.1 & 2 with IPv6 on both Ethernet and wireless, deleted my OpenDNS routings, and shut down DNS Crypt but it’s been 24 hours and I’m still not getting anything on the dashboard. Went through the troubleshooting steps and everything checks out. Should have this been done at my router?

Few options, that you may have tried already:

  1. Have you aded the IPv6 address as well in the list of DNS addresses?
  2. Have you put your home IPv4 address in the Gateway UI?
  3. Can you try opening the Terminal.app and then pasting there dig google.com and dig google.com @172.64.36.1?

Yes for IPv6 and yes for my home public IP.

This is what I get when I run the digs.

@Rogers-iMac ~ % dig google.com

; <<>> DiG 9.10.6 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36016
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 95 IN A 216.58.192.142

;; Query time: 70 msec
;; SERVER: 172.64.36.1#53(172.64.36.1)
;; WHEN: Sun May 24 15:02:36 EDT 2020
;; MSG SIZE rcvd: 55

@Rogers-iMac ~ % dig google.com @172.64.36.1

; <<>> DiG 9.10.6 <<>> google.com @172.64.36.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37663
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 32 IN A 216.58.192.142

;; Query time: 67 msec
;; SERVER: 172.64.36.1#53(172.64.36.1)
;; WHEN: Sun May 24 15:03:39 EDT 2020
;; MSG SIZE rcvd: 55

Ok, you are going to the correct IP.

Either the IPv6 you entered is wrong and that is the preferred method or the IPv4 is wrong, not that many different possibilities.

Check that your IP (the that shows when you google “my ip”) is IPv4 or that when you do dig -6 google.com the SERVER is the one that’s in the dashboard.

I see 2a06:98c1:54::25de in the Dashboard and in my DNS entries on my Mac and in the dig -6 google.com.

I did notice in the location setup, “The source IPv4 address is not required if you are using IPv6 or DNS over HTTPS.” I’ve got IPv4 and IPv6 in there, might this be the issue?

@Rogers-iMac ~ % dig -6 google.com

; <<>> DiG 9.10.6 <<>> -6 google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33710
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 280 IN A 216.58.192.142

;; Query time: 62 msec
;; SERVER: 2a06:98c1:54::25de#53(2a06:98c1:54::25de)
;; WHEN: Sun May 24 15:26:33 EDT 2020
;; MSG SIZE rcvd: 55

Well, no. If you don’t put the IPv4 addresses as DNS resolvers then you don’t need the IPv4, but it’s impossible to create a location without it, I believe. It doesn’t matter if you put in the IP, at most it’s useless.

What did you put as IPv4? Can you share a screenshot? It should be a /32. If IPv6 matches as well as IPv4, try deleting and recreating the location. The policy remains there, it’s not deleted.

I’m gonna try and call also @SamRhea, maybe he can check from the other side. Maybe post the ID of the location (not the most secure thing given that people can use it)?

Deleted and recreated it, dig is following IPv6 right with it.
What do you mean, the ID of the location?

Yes, but it doesn’t seem like a great idea now…

Maybe try a few minutes and check if things work now. We’ll check again in a bit.

Nothing yet. DNS resolves from my Mac with no problems, it just doesn’t show up on the dashboard. I also spun up a Windows 10 VM and changed DNS to Cloudflare.

I’ve got to be missing something.

It seems really strange to me, it should be really easy.

I have an idea, which I hope it’s not true, try doing dig is-gw.cloudflareresolve.com in the terminal. Check that the server matches Gateway IPs again. (Or possibly do dig is-gw.cloudflareresolve.com @172.64.36.1 to make sure that is correct)

1 Like

It looks correct. What’s the Windows 10 equivalent of dig? I did a tracert and it resolved on the VM i just spun up.

Maybe I’m approaching this totally wrong, I’m testing out the Cloudflare Gateway product on my home iMac and a Windows 10 VM on the iMac. The VM is on Parallels v15 running in a bridged ethernet configuration with it’s own IP on my network. My network router is an eero Pro (B010011) using OpenDNS servers 208.67.222.222 & 208.67.220.220. My provider is Xfinity Gigbit Internet.

I know the eero isn’t very customizable, but it’s the only one out of 4 vendors that didn’t interfere with my company’s VPN or any of my clients. Plus, it’s the only one that can send a stable signal through my home in South Florida (Cinderblock, reinforced concrete interiors and exteriors.)

My needs are a fast, reliable, and secure DNS and/or VPN service for my home and home office that also will help me monitor the inbound and outbound network traffic. I’m already using 1.1.1.1 Warp for my iPhone and I like Cloudflare’s ideas and tech.

Thanks,
Roger

@Rogers-iMac ~ % dig is-gw.cloudflareresolve.com

; <<>> DiG 9.10.6 <<>> is-gw.cloudflareresolve.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40040
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;is-gw.cloudflareresolve.com. IN A

;; AUTHORITY SECTION:
cloudflareresolve.com. 0 IN SOA cloudflareresolve.com. dns.cloudflare.com. 2018100101 21600 3600 604800 0

;; Query time: 171 msec
;; SERVER: 172.64.36.1#53(172.64.36.1)
;; WHEN: Mon May 25 11:48:27 EDT 2020
;; MSG SIZE rcvd: 107

@Rogers-iMac ~ % dig is-gw.cloudflareresolve.com

; <<>> DiG 9.10.6 <<>> is-gw.cloudflareresolve.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44362
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;is-gw.cloudflareresolve.com. IN A

;; AUTHORITY SECTION:
cloudflareresolve.com. 0 IN SOA cloudflareresolve.com. dns.cloudflare.com. 2018100101 21600 3600 604800 0

;; Query time: 157 msec
;; SERVER: 172.64.36.1#53(172.64.36.1)
;; WHEN: Mon May 25 11:48:36 EDT 2020
;; MSG SIZE rcvd: 107

@Rogers-iMac ~ % dig is-gw.cloudflareresolve.com @172.64.36.1

; <<>> DiG 9.10.6 <<>> is-gw.cloudflareresolve.com @172.64.36.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19064
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;is-gw.cloudflareresolve.com. IN A

;; AUTHORITY SECTION:
cloudflareresolve.com. 0 IN SOA cloudflareresolve.com. dns.cloudflare.com. 2018100101 21600 3600 604800 0

;; Query time: 149 msec
;; SERVER: 172.64.36.1#53(172.64.36.1)
;; WHEN: Mon May 25 11:48:57 EDT 2020
;; MSG SIZE rcvd: 107

For Windows its nslookup example.com 172.64.36.1.

My fear was correct, either your router or your ISP is rewriting the requests from any DNS server to their own. Those should resolve if the request goes to the Gateway IP.

$ dig is-gw.cloudflareresolve.com @172.64.36.1

; <<>> DiG 9.10.6 <<>> is-gw.cloudflareresolve.com @172.64.36.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53584
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;is-gw.cloudflareresolve.com.	IN	A

;; ANSWER SECTION:
is-gw.cloudflareresolve.com. 60	IN	CNAME	target.cloudflareresolve.com.cdn.cloudflare.net.
target.cloudflareresolve.com.cdn.cloudflare.net. 300 IN	A 104.16.224.45
target.cloudflareresolve.com.cdn.cloudflare.net. 300 IN	A 104.16.225.45

;; Query time: 32 msec
;; SERVER: 172.64.36.1#53(172.64.36.1)
;; WHEN: Mon May 25 18:11:07 CEST 2020
;; MSG SIZE  rcvd: 176

You could try also doing dig is-gw.cloudflareresolve.com @1.1.1.1 and dig is-cf.cloudflareresolve.com @1.1.1.1.

Somehow with Xfinity, I am not surprised. How can I tell what DNS server am I being routed to?

Try this: https://www.dnsleaktest.com/

Bingo. Just did a little research and eero intercepts DNS requests if their eero Secure service is turned on. No matter what DNS has been entered, it reroutes it to their stuff. I had to go down several layers in order to turn it completely off.

With it on: 18.189.38.95 ec2-18-189-38-95.us-east-2.compute.amazonaws.com. Amazon.com Columbus, United States

With it off: 108.162.213.84 None Cloudflare Boynton Beach, United States

And I’m seeing traffic. Thanks!

Roger

1 Like

Happy to see you got it working! :slight_smile:

This topic was automatically closed after 31 days. New replies are no longer allowed.