DNS Insanity - Cloudflare won't Resolve a CNAME for a domain to our subdomain

WE have a domain on the registrar whois.com
softwareforukraine.com which we want directed via a CNAME record
TO our.deadeasyapps.com (which is a Cloudflare PRO account)

First we setup the CNAME on whois.com name servers
MXToolBox showed it was correct and propagated
BUT
Cloudflare gave an Error 1001 - can not resolve DNS because it is trying to
reach a domain on the Cloudflare network

And it was! But Cloudflare apparently said “no way”
Cloudflare DOCs said to put the non-Cloudflare domain on our account.
OK
So we aided to our account:,
Changed the name servers to the Cloudflare server for our account.
Set a CNAME record. (we tried both with orange cloud on and off)
MXtoolBox said all is good. All is propagated

NOPE
Now we get an error on any browser (proxied or not) saying
the site can not be reached” !!

Apparently, it is physically impossible to CNAME a domain to ANY
subdomain on a web site “protected” by Cloudflare.

I filed a report with tech support, but I have already spent 6 hours trying to
get this to work. Don’t have 3days (!) to wait on them, so I am hoping someone here might have some ideas. :grinning:

Thanks

Sid

You appear to have it :orange: right now since a query returns an A record. You also appear to have configured a permanent recursive redirect which has lead to an infinite loop.

You can run curl -Ii https://softwareforukraine.com/ to see it in action.

2 Likes

I believe you - been trying it with the cloud on and off.
(now at 7 hours of trying different things)

But we have literally done NOTHING except follow Cloudflare docs
and setup a single solitary CNAME record in the Cloudflare dns for softwareforukraine.com

NOTHING else, yet you found an infinite loop?
So how did that happen?

I should add we have tried doing the CNAME thing from 3 different registrars
with 3 other domains and ALL of them gave the 1001 error from Cloudflare.
(those we did not bother moving to Cloudflare account)

At about 8 pm I did get CNAME for the ukraine domain to direct to a site we
have hosted outside of Cloudflare, and it resolved just fine (did this from whois servers).

None of it makes any sense

DO NOTE: deadeasyapps.com (the main domain) IS proxied and protected
(orange cloud). When I said we turned cloud on and off, I meant the CNAME record itself

You have configured an HTTP redirect somewhere. It could be in a Cloudflare setting, but it could just as easily be something configured on your origin server. Only you will have the necessary access to track that down.

the main domain has had it’s setting as is for 2 years.
We just tried this CNAME thing with a brand new name this AM
and haven’t set anything there.

My latest attempt was to CNAME ukraine to a subdomain o deadeasyapps.com that is EMPTY.
Only has a Plesk ‘under costruction’ html page (one single page) on that subdomain

softwareforukraine.com still won’t resolve.
that construction page is definitely not doing a redirect.

So we have a CNAME pointing to a subdomain with a simple display page

  • no website - and it still will not resolve.

I have no clue how that could be.
I going to try another domain of namecheap using their name servers
and directed it to the ‘empty’ subdomain

It currently resolves to Cloudflare proxy IPs, which means that you have it set to :orange:.

dig softwareforukraine.com 

; <<>> DiG 9.16.38 <<>> @1.1.1.1 softwareforukraine.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29303
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;softwareforukraine.com.                IN      A

;; ANSWER SECTION:
softwareforukraine.com. 300     IN      A       172.66.40.145
softwareforukraine.com. 300     IN      A       172.66.43.111

Sometimes, when you are too close to something, you can wind up fixated on the wrong things. When you have been chasing the same problem for too long, you can easily wind up changing too many things at once, and then lose track of what effects are caused by which changes. It might be best for you to take a break and grab a pen and paper and make some notes that can help you visualize the entire traffic flow that you are hoping to create as well as analyze your current traffic flow.

I do take note - I’m not the tech guy, he’s in the hospital. Butafter 7 hours that could be true :slight_smile:

but

  1. deadeasyapps.com IS always proxied (orange)

  2. the CNAME record for softwareforukraine.com is NOT orange cloud - it is set to “dns only” and has been for a few hours

  • since about 10:30 am

I don’t know how you are getting that response, unless it is coming from deadeasyapps.com itself? If you do mxtoolbox on deadeasyapps.com itself you get the exact same IPs etc. (A records)

Except that the DNS query results confirm it cannot be set to :grey: right now. You have no published CNAME for softwareforukraine.com which means that CNAME record has to be :orange: .

dig cname softwareforukraine.com

; <<>> DiG 9.16.38 <<>> @1.1.1.1 cname softwareforukraine.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55982
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;softwareforukraine.com.                IN      CNAME

;; AUTHORITY SECTION:
softwareforukraine.com. 3600    IN      SOA     abby.ns.cloudflare.com. dns.cloudflare.com. 2306803368 10000 2400 604800 3600

;; Query time: 15 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Apr 12 11:11:12 MDT 2023
;; MSG SIZE  rcvd: 110

You can see right in the unedited output I posted that the results are coming from Cloudflare’s public resolvers at 1.1.1.1.

The Cloudflare is broken. Check the screen shot - THAT is how it has been for hours

I have tried various sub domains and got same results, but is has always been grey cloud for cname itself

Show us your assigned Cloudflare nameservers below where you cropped the screen.

Are they Abby and Luke?

dig ns softwareforukraine.com +short
abby.ns.cloudflare.com.
luke.ns.cloudflare.com.

If they are not Abby and Luke, you are not making your changes in the account that controls that domain’s published DNS.

yes they are abby and luke - we have those 2 for about 3 years now

If this has all been about Cloudflare NOT making the changes, it will be abit upsetting. :slight_smile:

1 Like

Creation Date: 2023-04-05T15:42:37Z

Since the domains is only a week old, you cannot have had them for more than a week. Your other domains may have had the same pair for longer. I only mention it because it is important to know that nameserver pairs are assigned per domain, not per account. I would hate for that to causse you avoidable issues on a future domain.

I agree that you have some unexpected behavior occurring here. Would you mind sharing your ticket number here so we can include it in an escalation request?

The deadeasyapps domain has been around almost 3 years, and has those name servers. Several of our domains do have abby and luke :grinning:

I assume this : Your request (#2761218)

Is what you need?

I am going to take a break for a bit. We have a couple dozen pissed off customers who have been trying to setup their domains to go to actual sites that we have on subdomains I still have to deal with.

I appreciate the assistance! Thank you :grinning:

Sid

1 Like

Referencing back to my own statement about focusing on the wrong things, something crossed my mind as I was writing up the details on your scenario. I was so focused on your CNAME not being published as a CNAME, that I ignored that you are working with an apex name.

Because no other names may exist at the same label as a CNAME (DNSSEC material excepted), you cannot disable CNAME flattening on an apex name in Cloudflare. This means that you will have synthetic A and AAAA records published. They will consist of the addresses in the respective A and AAAA records of the canonical name (that is the “target” name in your CNAME record).

With your canonical name set to a proxied hostname, you have created an impossible design.

Without knowing what your deliverable is or how it is intended to work it is hard for me to know for certain, but I am wondering if Cloudflare for SaaS might be a better fit for your project.

I am getting the sinking feeling Cloudflare can no longer be used.

We have a main domain deadeasyapps.com which is our main site, (DEA for short)

As part of their membership, DEA members (we call them sitemasters)
get an independent WordPress membership site
built on a subdomain of DEA (they choose the subdomain name),
such as our.deadeasyapps.com or skidmark.deadeasyapps.com

They get to USE (we still own the sites) those sites
to install and use software WE create
onto those subdomains sites.

They ALSO get to charge people to become members of their subdomain site and use the software on the site.
(Their members pay them not us)

ALL The software is web apps of various kinds.
So EACH SUBDOMAIN is itself like an independent SaaS

  • they have web apps that members pay to access and use.

Our management software for maintaining, updating, etc, all these subdomain sites, REQUIRES the sites to be on subdomains.

It does NOT work with WordPress “multi-site” or installations on “separate” TLD domains

Naturally, our members (we call them sitemasters) want to refer to their “SaaS” site by a TLD domain name.

That requires a CNAME (or maybe an Alias record?)

It sounds to me like you are saying it is IMPOSSIBLE for our sitemasters to assign a CNAME (ie, a domain name) to these subdomains? Because they are their own full blown WP sites with SaaS

Sid

I am not saying that is impossible. It just doesn’t look like the custom names are handled is a viable method. I did request an escalation on your ticket. It sounds like your use case might be compatible with Cloudflare for SaaS which has some different capabilities than simply creating CNAMEs.

BTW: SOME of our peole, like sagapromotions.com have NO trouble connecting and resolving!

I HOPE you are right. I thought we talked to CF about SaaS, but sins DEA is NOT the SaaS and the sites are themselves full blown WP membership sites, they didn’t know how it fit.

But I’d have to do to hospital and ask Joe to know for sure if we did :grinning:

Sid

sagapromotions.com does not use Cloudflare or a CNAME. :smile:

While I have run a reasonable amount of WordPress sites, I have never configured one to respond on more than one domain or hostname. That leaves me without out any immediate design solution that I can just pull out of my head to share with you. :wink: