DNS entry IP connection failed on Port 80

Summary: IP 104.21.35.142 is down

Details:
When I resolve my domain name hosted on cloudflare, out of the 2 A record IPs one of them is always down. This causes the browser to timeout if it tries that particular IP, before moving to the next IP and slowing the website.

dig <my_domain_name>.com

; <<>> DiG 9.10.6 <<>> my_domain_name.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13332
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;<my_domain_name>.com.			IN	A

;; ANSWER SECTION:
<my_domain_name>.com.		300	IN	A	172.67.175.186
<my_domain_name>.com.		300	IN	A	104.21.35.142

;; Query time: 214 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 20 00:10:43 IST 2022
;; MSG SIZE  rcvd: 72

Out of which 104.21.35.142 is down

:~ root$ ping 104.21.35.142
PING 104.21.35.142 (104.21.35.142): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
^C
--- 104.21.35.142 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

:~ root$ ping 172.67.175.186
PING 172.67.175.186 (172.67.175.186): 56 data bytes
64 bytes from 172.67.175.186: icmp_seq=0 ttl=59 time=23.392 ms
64 bytes from 172.67.175.186: icmp_seq=1 ttl=59 time=22.775 ms
^C
--- 172.67.175.186 ping statistics ---
2 packets transmitted, 2 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 22.775/23.084/23.392/0.309 ms

And when the IP 104.21.35.142 is accessed by the browser, it waits for it to timeout before trying the other one which works.

This can be seen with curl command

:~ root$ curl -v <my_domain_name>.com
* Rebuilt URL to: <my_domain_name>.com/
*   Trying 104.21.35.142...
* TCP_NODELAY set
* Connection failed
* connect to 104.21.35.142 port 80 failed: Operation timed out
*   Trying 172.67.175.186...
* TCP_NODELAY set
* Connected to <my_domain_name>.com (172.67.175.186) port 80 (#0)
> GET / HTTP/1.1
> Host: <my_domain_name>.com
> User-Agent: curl/7.54.0
> Accept: */*
...

<my_domain_name> is not my actual domain name, but is used to mask the actual domain name.

Thank you in advance.

.142 is reachable for me.

Try a traceroute to 104.21.35.142 and compare it to the .186 to see where that request is blocked.

Screen Shot 2022-01-19 at 11.09.20 AM1104×168 17 KB

Thank you for the quick reply. Yes, it seems that the IP is blocked only when accessed from India. I checked the IP in https://tools.keycdn.com/ping

Screen Shot 2022-01-20 at 12.56.51 AM751×813 64.6 KB

And a traceroute done from https://tools.keycdn.com/traceroute shows
From Bangalore server

Start: 2022-01-19T19:29:50+0000
                                   Loss   Snt   Last   Avg  Best  Wrst StDev
  1.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  2.|-- 10.66.6.227                0.0%     4    0.3   0.5   0.3   0.8   0.2
  3.|-- 138.197.249.14             0.0%     4    0.3   0.4   0.3   0.6   0.1
  4.|-- 219.65.110.185             0.0%     4    1.1   3.9   1.1  10.5   4.4
  5.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  6.|-- 14.141.123.226             0.0%     4    8.7   8.7   8.6   8.9   0.2
  7.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  8.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  9.|-- 121.240.243.209           75.0%     4   27.4  27.4  27.4  27.4   0.0
 10.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
 11.|-- 14.141.123.226             0.0%     4   37.8  37.7  37.6  37.8   0.1
 12.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
 13.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
 14.|-- 121.240.243.209           75.0%     4   56.1  56.1  56.1  56.1   0.0
 15.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
 16.|-- 14.141.123.226             0.0%     4   67.0  67.9  66.7  71.2   2.2
 17.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
 18.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
 19.|-- 121.240.243.209           75.0%     4   85.0  85.0  85.0  85.0   0.0
 20.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
 21.|-- 14.141.123.226             0.0%     1   96.0  96.0  96.0  96.0   0.0
 22.|-- ???                       100.0     1    0.0   0.0   0.0   0.0   0.0

and the same for the other IP

Start: 2022-01-19T19:33:13+0000
                                   Loss   Snt   Last   Avg  Best  Wrst StDev
  1.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  2.|-- 10.66.7.5                  0.0%     4    0.7   0.6   0.5   0.7   0.1
  3.|-- 138.197.249.14             0.0%     4    0.4   0.5   0.4   0.6   0.1
  4.|-- 219.65.110.185             0.0%     4    1.2   2.5   1.2   3.8   1.5
  5.|-- ???                       100.0     4    0.0   0.0   0.0   0.0   0.0
  6.|-- 14.141.123.226             0.0%     4   11.3  11.8  11.2  12.7   0.7
  7.|-- 180.87.36.165              0.0%     4    7.8   8.0   7.8   8.4   0.3
  8.|-- 180.87.36.41              50.0%     4   57.3  57.2  57.2  57.3   0.1
  9.|-- 180.87.107.0               0.0%     4   61.3  61.3  61.2  61.5   0.1
 10.|-- 120.29.214.10              0.0%     4   57.2  57.5  57.1  58.7   0.8
 11.|-- 172.67.175.186             0.0%     4   40.6  40.8  40.6  41.0   0.2

Is there any configuration that I can do on my Cloudflare dashboard which can ensure the IP in contention is not associated with my domain?

It’s not getting out past Tata. Every IP address on that list is Tata until it hits Cloudflare’s 172 address.

I have noticed this particular IP is provided when the DNS proxy is enabled.
As a stop-gap solution, I have disabled the DNS Proxy for the affected domains which unfortunately causes the DNS to respond with the domain where my ‘pages’ is hosted but resolves faster than a timeout.

Will have to wait till the IP is unblocked.

Thank you very much.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.