Cloudflare IP or DNS Spoof?

Hi All,

We have strange notifications about a certain IP address since this weekend. The address is We suddenly saw several 443 calls towards this address from several of our severs, because it was related to (which is widely used for Azure). Our domain controllers resolved several addresses with the address (because our forward traffic is - so we believe it came from Cloudflare), which is related to Alibaba, Hong Kong. However, when searching the address, we also see it that it is or has been related to Cloudflare. Now we are very uncertain if this is a wrong routing, or DNS spoofing with malicious intent. We checked everything in our domain controllers and can’t find anything bad going on. But perhaps someone from the community can help us out? Thanks!

I’m a bit confused as to what you’re asking - are you asking if is Cloudflare? It’s a DNS resolver, much like

The other two IPs aren’t related to Cloudflare at all.


Hi, we believe this address to be a malicious DNS server. It has ports 53 and 80 open. All of a sudden, in the weekend, many of our * traffic was forwarded over there. So we think that this address somehow was added in the backend pool of perhaps Cloudflare? We would like to know if others have similar experiences?

If I am understanding you correctly. * was resolving to instead of the normal IP? Is that correct?

Hi aksubacct, yes indeed. This IP has nothing to do with Microsoft services (Microsoft verifies). So we believe we were subjected to either DNS poisoning in Cloudflare, or a MITM attack. We also noticed that the forwarding to this IP generally came from Norther Europe, from our DRC DNS servers (which forwards DNS calls to .

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.