DNS ARGO Error 1000

[DNS] [ARGO] [LOADBALANCER]

  1. This is the opposite of an answer because it is written without knowledge of ARGO
    Fixing Error 1000 - DNS points to prohibited IP

  2. Good Afternoon,

On a previously working load balancer I now see Error 1000 for all requests to a valid URI.

A request to loadbalancer https://api.duigco.org/urandomapi.php?api returns Error 1000

A request to Argo tunnel cname https://api.willtech.net.au/urandomapi.php?api works correctly.

If you will please assist.

Someone on another chat mentioned you may wish to know why this type of configuration is normal. In the case I supply hosting and use Argo to put the server online the client only requires to cname their domain. If they happen to be with Cloudflare then this MUST work, it is the most basic sensible arrangement in which this must work.

In another use case anyone can cname anything, it is not internal. This seems like it is an issue with Cloudflare routing not user configuration.


What you should do is boxed in a black marker, and as the error says you have a problem with your A name record that you need to fix

Hello, I could not have been any clearer. The website is connected with

ARGO

WHAT THAT MEANS IS THAT CLOUDFLARE ASSIGNS THE IP ADDRESS, THE ONLY REAL IP ADDRESS IN INSIDE THE CLOUDFLARE NETWORK! Everything else connects to that with cname.

As for api.duigco.org that is a Cloudflare LOADBALANCER! It resolved to whatever Cloudflare decides and forward connections in the case of this Loadbalancer to the Argo connected server.

Just in case you don’t know the product, Argo is Cloudflare and it is a Clodflare Loadbalancer.

Cloudflare Tunnel (not called Argo Tunnel any more and I’m still trying to get used to that) to a Load Balancer is definitely a niche use and it’s beyond me. I suppose if I sat down in a quite place for a while, I could make sense of it.

Or is the load balancer in front of the Tunnel and points to the tunnel CNAMEs? You may have sort of explained this and my eyes glazed over.

If the thread posted below by eva2000 doesn’t help, open a ticket. You can email them: support AT cloudflare DOT com and then post the ticket # as soon as you get an autoreply. I’ll escalate as soon as I see your message. Though Escalations generally get looked at on weekdays.

Heck, I’ll ping the @MVP group, as one of them online this weekend may know what this setup is supposed to look like.

sounds like same issue @jon44 had

see

1 Like

I do not have any references apart from your for the name change and I will work through the additional links from the post after yours, the tunnel is a VPN to get your server inside the internet on the cloudflare network rather than getting you laptop on inside your office.

php.willtech.net.au is the AAAAA record created by the tunnel. api.willtech.net.au is the domain name in use, future changes to hosting with result in api.willtech.net.au being the tunnel directly without cname.

[fedora ~]$ dig php.willtech.net.au

; <<>> DiG 9.16.21-RH <<>> php.willtech.net.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24594
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;php.willtech.net.au.		IN	A

;; ANSWER SECTION:
php.willtech.net.au.	300	IN	A	172.66.43.51
php.willtech.net.au.	300	IN	A	172.66.40.205

;; Query time: 74 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Oct 17 21:33:15 AEDT 2021
;; MSG SIZE  rcvd: 80

[fedora ~]$ dig api.willtech.net.au

; <<>> DiG 9.16.21-RH <<>> api.willtech.net.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27977
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;api.willtech.net.au.		IN	A

;; ANSWER SECTION:
api.willtech.net.au.	300	IN	A	172.66.40.205
api.willtech.net.au.	300	IN	A	172.66.43.51

;; Query time: 25 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Oct 17 21:36:13 AEDT 2021
;; MSG SIZE  rcvd: 80

As you can see Cloudflare uses cname flattening internally to save recursive lookups even using nslookup instead of dig.

[fedora ~]$ nslookup
> server 1.1.1.1
Default server: 1.1.1.1
Address: 1.1.1.1#53
> api.willtech.net.au
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
Name:	api.willtech.net.au
Address: 172.66.40.205
Name:	api.willtech.net.au
Address: 172.66.43.51
Name:	api.willtech.net.au
Address: 2606:4700:3108::ac42:28cd
Name:	api.willtech.net.au
Address: 2606:4700:3108::ac42:2b33
> 

So far this continues to work as it has

The Loadbalancer was working for several weeks. I can only presume Cloudflare has had a network engineer forget about how their product works and the Loadbalancer now detects that the tunnel is inside Cloudlfare, which it is, and prevents connections. You can see nslookup for api.duigco.org returns much the same response as the former.

api.duigco.org +-> api.willtech.net.au
               +-> apiutility.willtech.net.au
               +-> api.exampledomain.com

Since I have observed the problem I have only had api.willtech.net.au online.

> api.duigco.org
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
Name:	api.duigco.org
Address: 172.67.174.51
Name:	api.duigco.org
Address: 104.21.30.242
Name:	api.duigco.org
Address: 2606:4700:3032::ac43:ae33
Name:	api.duigco.org
Address: 2606:4700:3032::6815:1ef2
>

However, all responses are now offline with Error 1000 only since whatever has been changed by Cloudflare. Obviously, if an engineer doesn’t know what is going on at Cloudflare there aren’t many answers.

I did, I have mentioned, try to telephone Cloudflare, but the recorded message advised to email, which I did, and was bounced back here to the community forums.

Not interested but thank-you for looking those up it is not workable infrastructure. I cannot give the Loadbalancer directly the IP address that the tunnel creates with the AAAAA record of the host because it could change at any time the tunnel reconnects, neither can it work without cname or the infrastructure is incomplete.

Marketing infrasctructure suggestion, use Argo for the name of the type of tunnel for onlining a service, it is a configurable VPN for dialling a service onto the internet. If Cloudflare wishes to call it Cloudflare Tunnel it is Cloudflare Argo Tunnel. It would be silly to refer to it as a VPN regardless of who provides it even though with programming all of the features could be added.

I see the confusion about the name. It certainly pays to be consistent. In the console, it is called Argo Tunnel but in the help it is called Cloudflare Tunnel.