DNS A records issues

Hi All,

I’m experiencing a really strange issue with my setup. A little bit of background information:

  • My public DNS zone is managed by CF (name servers are melinda & theo)
  • i have added an A record in the CF DNS management dash to point to the public IP of the router
  • i opened/forwarded port 443 only to my internal web service
  • on my router i accept connections only from the Cloudflare servers (https://www.cloudflare.com/ips/)
  • i’m monitoring (tcpdump) my public facing port on the router
  • Universal SSL status is active (Full mode)

The problem is:

  • if the A record is proxied there is no traffic captured at all on the wan interface targeting port 443 (even if i try to telnet or browse it on https). Even if the lockdown policy was incorrect on the router, I should be able to see traffic targeting my router, but there is none. If i try to telnet/browse my public ip on port 443, i can see traffic hitting the interface as we expect (it’s blocked - as it’s not originating from the CF IP ranges)
  • if i turn off the proxy, and try to do the same browsing/telnet; the traffic is hitting the router’s interface

The conclusion is; if i enable the proxy on the mentioned A record, it doesn’t seem to be forwarded to my web service public IP.

Thank you in advance,

That doesnt seem so much to be a DNS issue, but you are rather saying connections from Cloudflare’s proxies never reach your router, whereas non-proxied traffic does reach it (even though it should only be the connection attempt and not actual traffic, as that is blocked).

Is that right?

Yes, correct while the proxy was enabled I couldn’t capture any attempt at all. I tried to switch off then switch on the proxy again; I also recreated the affected record since yesterday.
For some reason now everything is working fine with the proxy enabled (i’m about 24 hours now from the first time I notified the problem) and I didn’t do any configuration changes related to the CF setup.
Not sure if it was a temporary problem on the proxies or I wasn’t patient enough.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.