Cloudflare IP or DNS Spoof?

Hi All,

We have strange notifications about a certain IP address since this weekend. The address is 47.57.31.217. We suddenly saw several 443 calls towards this address from several of our severs, because it was related to trafficmanager.net (which is widely used for Azure). Our domain controllers resolved several trafficmanager.net addresses with the 47.57.31.217 address (because our forward traffic is 1.1.1.1 - so we believe it came from Cloudflare), which is related to Alibaba, Hong Kong. However, when searching the address, we also see it that it is or has been related to Cloudflare. Now we are very uncertain if this is a wrong routing, or DNS spoofing with malicious intent. We checked everything in our domain controllers and can’t find anything bad going on. But perhaps someone from the community can help us out? Thanks!

I’m a bit confused as to what you’re asking - are you asking if 1.1.1.1 is Cloudflare? It’s a DNS resolver, much like 8.8.8.8.

The other two IPs aren’t related to Cloudflare at all.

2 Likes

Hi, we believe this 47.57.31.217 address to be a malicious DNS server. It has ports 53 and 80 open. All of a sudden, in the weekend, many of our *trafficmanager.net traffic was forwarded over there. So we think that this address somehow was added in the backend pool of perhaps Cloudflare? We would like to know if others have similar experiences?

If I am understanding you correctly. *.trafficmanager.net was resolving to 47.57.31.217 instead of the normal IP? Is that correct?

Hi aksubacct, yes indeed. This IP has nothing to do with Microsoft services (Microsoft verifies). So we believe we were subjected to either DNS poisoning in Cloudflare, or a MITM attack. We also noticed that the forwarding to this IP generally came from Norther Europe, from our DRC DNS servers (which forwards DNS calls to 1.1.1.1) .

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.