Cloudflare Workers and 1.1.1.1

Hi
I just found out that you can trigger a worker without setting DNS orange cloud’ed
You just need to make a simple DNS record and point it to 1.1.1.1

The funny part is that this works with *.example.org too.

May I get banned for using that? I mean it’s a cool feature to use Cloudflare Workers on *.example.org without business/enterprise plan.

Ah yes - CF will proxy all records regardless of proxied status. I’ve seen some people do this without issue before, but I wouldn’t recommend using something like this for a critical business website since CF could change it at any time (think ‘why am I proxying these requests when it’s grey clouded’). If you’re just playing around on your personal site, though, I wouldn’t be too worried since, if they do break it in the future, you can just change your site to accommodate for that (eg. putting the worker on another subdomain that is proxied).

2 Likes

Although cloudflare wrote all their edge servers are identical OSes, and identical processes, and all boxes can do all cloudflare products, I kind it a little bit funny, that every NIC in every server they own binds to 1.1.1.1 lol. CF wrote their nginix processes sends a BGP-ish route update to the core router within a couple seconds if a edge server’s CPU is maxed out or nearing maxed out and the core router sends all new TCP syn packets to the next rack server on a diff ethernet link, if the entire POP is overloaded by a DDOS, CF will send a BGP route update to the offending overloaded USA peering ISP saying to only talk to CF in DC, Miami, Chicago, Texas, Seattle, SF, London, Amsterdam, Hong Kong, Sydney, etc, until the Tier 1 ISP runs out of subsea cable capacity from the DDOS attack. Then its not CF’s problem anymore, but ATT/Zayo/Verizon would quietly announce “Global MPLS outage, we are working to restore service as fast as possible”. CF might have reasons to partition its ASN or its IP ranges one day if they add more customer services. VPN/VPS/SDWAN/DoD classified metal (extended version
of EU/USA/China data privacy laws) and 1.1.1.1 won’t be a generic edge server anymore. hey atleast if 1.1.1.1 is a cloudflare worker with a proprietary C++ hash tree DB, you know the worker product is solid :grinning:

Poking around, I find that 1.0.0.1 is the port 80/port 443 IP address for some websites https://bgp.he.net/net/1.0.0.0/24#_dns even thought 1...* was rented to CF “experimentally” by APNIC, it was never allocated, so in theory CF should never use 1.* IPs for its reverse proxy product, only DNS and DOH resolving, but somehow 1.0.* is being used for Asian (China only?) reverse proxy customers. but 1.1.* is DOH/DNS only https://bgp.he.net/net/1.1.1.0/24#_dns Makes no difference as all of CF’s IPs are anycasted. Its 10-20ms ping no matter which CF IP in CF’s AS I ping.