Cloudflare registered domain nameserver wrong IP addresses

glenn_l · June 24, 2024, 3:53pm

What is the name of the domain?

What is the issue you’re encountering

The domain visiba.com is registered with Cloudflare and uses the Cloudflare nameservers. We have set up DNS records for ns31 and ns32 to point to the correct server IP addresses. Another domain labcompass.com is using the ns31 and ns32 nameservers, but somehow the wrong (read: previous) IP addresses of ns31 and ns32 are returned. All other domains using ns31 and ns32 are correct though.

What steps have you taken to resolve the issue?

Verified the DNS zone of the domain
Contacted cPanel support
Contacted the domain registrar

What feature, service or problem is this related to?

DNS records

What are the steps to reproduce the issue?

Check:
https://intodns.com/labcompass.com

Wrong IP addresses are returned.
Correct IP’s are:
ns31 = 107.173.236.146
ns32 = 88.218.76.201

sjr · June 24, 2024, 4:01pm

Everything seems to work ok. If the wrong IP address is returned for labcompass.com (not on Cloudflare) you’ll need to check in your two nameservers.

dig +short ns31.visiba.com
107.173.236.146

dig +short ns32.visiba.com
88.218.76.201

dig +trace +nodnssec labcompass.com

; <<>> DiG 9.10.6 <<>> +trace +nodnssec labcompass.com
;; global options: +cmd
.			511729	IN	NS	a.root-servers.net.
....
.			511729	IN	NS	m.root-servers.net.
;; Received 239 bytes from 127.0.2.2#53(127.0.2.2) in 0 ms

com.			172800	IN	NS	j.gtld-servers.net.
....
com.			172800	IN	NS	m.gtld-servers.net.
;; Received 839 bytes from 2001:7fd::1#53(k.root-servers.net) in 66 ms

labcompass.com.		172800	IN	NS	ns31.visiba.com.
labcompass.com.		172800	IN	NS	ns32.visiba.com.
;; Received 120 bytes from 2001:503:83eb::30#53(c.gtld-servers.net) in 24 ms

labcompass.com.		14400	IN	A	94.237.44.28
;; Received 59 bytes from 107.173.236.146#53(ns31.visiba.com) in 108 ms

glenn_l · June 24, 2024, 4:06pm

Thank you for your reply and investigation.

The domain is difficult to access, as confirmed here:

Also see the errors here:
https://intodns.com/labcompass.com

So I’m really out of options to find out what’s going on here.

sjr · June 24, 2024, 4:14pm

Have you recently changed the DNSSEC settings for visiba.com?

DNSSEC is currently enabled for it, and all the public resolvers seem ok…
https://cf.sjr.org.uk/tools/check?01d8aa378bf84a16b739a21eb166082a#resolvers
https://cf.sjr.org.uk/tools/check?d9afb187382d4b0e81d7f9092bd52715#resolvers

glenn_l · June 24, 2024, 4:21pm

No, I haven’t touched DNSSEC in ages.

sjr · June 24, 2024, 4:30pm

Those errors all relate to how you have set up the zone for labcompass.com in your 2 nameservers. None of those relate to your Cloudflare settings, those are ok.

The lagging IP addresses may due to the long TTL at the com root servers…

Nameserver records returned by the parent servers are:

ns31.visiba.com.   ['107.191.109.209']   [TTL=172800] 
ns32.visiba.com.   ['81.4.110.103']   [TTL=172800] 

**a.gtld-servers.net was kind enough to give us that information.**

glenn_l · June 24, 2024, 4:40pm

Good catch about pointing out to .COM and upon checking further, it appears all the .COM domains that are using ns31 and ns32 seem to have this issue!

TTL says 172800 which is 48 hours but the records have been changed around 4 das ago.

Could it be that the .COM root servers are not able to reach our nameservers?

glenn_l · June 24, 2024, 5:36pm

Sorry to get back to this, but if the .com root servers are not able to pick up the correct IP address of ns31 and ns32, doesn’t that indicate an issue somewhere at Cloudflare?

sjr · June 24, 2024, 5:44pm

Looks like the glue records for labcompass.com need updating. You’ll need to ask your registrar.

dig +norec labcompass.com ns @a.gtld-servers.net

; <<>> DiG 9.10.6 <<>> +norec labcompass.com ns @a.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55366
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;labcompass.com.			IN	NS

;; AUTHORITY SECTION:
labcompass.com.		172800	IN	NS	ns31.visiba.com.
labcompass.com.		172800	IN	NS	ns32.visiba.com.

;; ADDITIONAL SECTION:
ns31.visiba.com.	172800	IN	A	107.191.109.209
ns32.visiba.com.	172800	IN	A	81.4.110.103

;; Query time: 61 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Mon Jun 24 18:45:23 BST 2024
;; MSG SIZE  rcvd: 120

glenn_l · June 24, 2024, 5:58pm

labcompass does not have glue records. Glue records would mean that nameservers ns1.labcompass and ns2.labcompass.com are registered but that’s not the case here.

We are talking about the nameservers ns31 and ns32 which are managed by Cloudflare.

sjr · June 24, 2024, 6:15pm

This information…

…comes from the com zone for labcompass.com…

These are glue records. They are not necessary as the nameservers are from a different zone, but they are set in this case.

You can try and force an update by changing the nameservers at the registrar to say ns33 and ns34 (create them in Cloudflare to point to the same IP addresses as ns31 and ns32). Then wait for them to change at the registry, then set them back to ns31 and ns32 and the registrar may reset the IP addresses automatically.

Otherwise you need to ask your registrar to fix it for you, either to remove the glue or update it.

glenn_l · June 24, 2024, 6:41pm

Thanks for your suggestion. I’ve set up ns33 and ns34 but the registrar does not accept the new nameservers:

In-Zone nameservers not added at the registry: ns33.visiba.com,ns34.visiba.com

My case seems similar to this one, but I don’t know how it was fixed: Creating child name server

sjr · June 24, 2024, 6:43pm

The record for ns34 is proxied, change it to “DNS only”.

dig +short ns34.visiba.com
104.21.11.188
172.67.192.98

glenn_l · June 24, 2024, 6:45pm

Corrected now, but the registrar does not accept them yet. I will try again a bit later.

sjr · June 24, 2024, 6:48pm

The TTL for proxied records is 5 minutes so it should work soon, working for me…

dig +short labcompass.com @ns33.visiba.com
94.237.44.28

dig +short labcompass.com @ns34.visiba.com
94.237.44.28

glenn_l · June 24, 2024, 7:02pm

Registrar still not accepting the new nameservers though. Do you still have a test domain to see if they are accepted with your registrar?

ozgur · June 24, 2024, 7:22pm

Do not try… CF simply does not support creating child name servers. I ended up creating support ticket, waited couple days for ticket to be escalated to network or upper level, then they “manually” created nameservers. These took 4-5 days. They also confirmed that is not possible from user control panel.
So I transfered my domain to an other registrar.

sjr · June 24, 2024, 7:23pm

I think as this is .com to .com the nameservers nsX.visiba.com need to be registered. I assume you’d have to raise a Cloudflare registrar ticket for visiba.com for that.

glenn_l · June 24, 2024, 7:29pm

I tried, but they didn’t want to reply as I’m on a free plan. Guess it’s time to move out of Cloudflare.

eportillo · June 24, 2024, 9:01pm

Hello,

Currently this information below applies to this use case.

Topic		Replies	Views
Nameserver providing wrong IPv4 address DNS & Network	2	173	May 2, 2024
Website is wrong after changing dns DNS & Network	9	2039	June 9, 2020
There is a IP mismatch on your cloudflare nameservers DNS & Network	7	2279	October 11, 2021
Nameservers working, but A records are not correct DNS & Network	9	4021	November 4, 2020
Domain 2 dns keys and 4 ip addresses unable to resolve DNS & Network	13	306	February 25, 2024