Domain 2 dns keys and 4 ip addresses unable to resolve

Its not my first time with cloudflare but i’m stuck on this one.

I set up my server with a custom domain name (not with cloudflare), added the nameservers to the domain, set up the tunnel and everything works fine.

I used openvas to scan my domain name and got a lot of results that i know for a fact arent true on my server so i dug a little deeper and noticed that in openvas scanning my domain went to this ip 188.114.96.7 but for example on sslabs test it finds 104.21.56.146 and 172.67.152.186.

Using dnschecker a record shows different ip addresses in some countries
image

On dnsviz(dot)net i checked and there is more than 1 dns key

From my understanding, openvas scan falls in the category that is using the 188.114.xx.xx ip and is not pointing to my server correctly.
What do i need to do in order to resolve the matter?

thanks in advance

These are all Cloudflare IP addresses but Cloudflare does resolve to different addresses in different regions.

The resolution looks all right.

1 Like

I realize they are all cloudflare ip’s but normally you get one set of ip addresses (2), i’m getting 4.

Furthermore, in openvas when it scans the 188.114.xx.xx ip’s the results are not right at all, it is NOT reaching my machine.

For troubleshooting purposed I tried with multiple ssl validation websites and some of them (the ones stating 188.114.xx.xx) returned error whereas on the ones that use the 172.67.xx the results are fine.

On dnsviz(dot)net i’m getting this response (never listing 188.114.xx.xx)

No, there is no “normal” number of IP addresses and 188 is typically used for Europe.

So as mentioned, the domain seems to resolve fine. Some ISPs used to have occasional routing issues, but that’s something to discuss with the ISP and should be mostly fixed.

1 Like

DNSSEC is not an issue either as that is not enabled at the registrar in the first place.

1 Like

Ok… so what is your idea\theory behind the mixed results depending on the ip address?

For troubleshooting purposed I tried with multiple ssl validation websites and some of them (the ones stating 188.114.xx.xx) returned error whereas on the ones that use the 172.67.xx the results are fine.

That’s something that you might have to discuss with the respective sites where you checked that.

The site itself loads fine on that address

curl -I https://n3m3s1s.pt --connect-to ::188.114.97.0
HTTP/1.1 200 OK
Server: cloudflare

Not exactly the same result…

curl -I https://n3m3s1s.pt --connect-to ::188.114.97.0
HTTP/2 200
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=A0z8Ce1OxRSyaNuS3JiBbIjtyiSFsNzJgAwcRwD3Pi0w%2BcjBn3QFA10OQ7vsgVXdTMpQezMCrfTgyHS1sNptrNAdbCNa0saXNRAgH%2FkDC%2FGNOyDuGh5QVOW6x0CL"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
strict-transport-security: max-age=15552000; includeSubDomains; preload
x-content-type-options: nosniff
server: cloudflare
cf-ray: 859f80ef48d4669b-MAD
alt-svc: h3=":443"; ma=86400

What do you mean? Your output also shows that it works.

1 Like

your output returned http/1.1, mine http/2, the endpoints are different!

Exactly like (like i said multiple times), when using openVAS (that checks this ip: 188.114.96.7) for testing i’m getting a lot of errors like this one:

“SSL/TLS: Report Vulnerable Cipher Suites for HTTPS when the site clearly has a valid and well configured SSL”

(notice which ip is tested)

That’s irrelevant, you simply sent an HTTP 2 request. The point is it works.

All right, and as already pointed out you will need to clarify with them what their actual issue is. You can probably ignore it. Cloudflare servers are configured identically, except for specific plans.

If you test the other IP addresses with the same tool, you will have the same warnings.

Resolution and proxying works fine.

1 Like

That’s irrelevant, you simply sent an HTTP 2 request. The point is it works.

ran EXACTLY the same command.

All right, and as already pointed out you will need to clarify with them what their actual issue is. You can probably ignore it. Cloudflare servers are configured identically, except for specific plans.

If you test the other IP addresses with the same tool, you will have the same warnings.

Resolution and proxying works fine.

Tested wit MULTIPLE other IDENTICAL setups using cloudflare this is the ONLY one that has this issue.
All other setups i have or have access to the A records show 2 ip addresses (not 4 or 5) and openvas runs fine without any false positive.

Although i understand it is kind of tricky to demonstrate, trust me this when i say this is NOT ok or working as expected.

Your client will simply default to HTTP 2. The point is it loaded fine for me and you. The site loads fine on that IP address.

I am not sure which issue we are discussing in the first place. You referred to incorrect IP addresses and DNSSEC issues, none of which is an issue with your domain.

If your actual concern is that tool printing some warning message, then I am afraid you need to discuss this with the vendor of that tool, as already mentioned. Cloudflare is not involved here, unless you have a side-by-side comparison where there is an SSL issue with one IP address but not another.

1 Like

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.