Gateway fails to resolve name

Hi!

we are getting no answer from our gateway location if we try to resolve epdg.epc.drz1.vodafone-ip.de.
In the gateway activity logs we can see the querry and the decision allowed by query name.

If we query 1.1.1.1/1.1.1.2 we get the expected answer with out problems.

Any ideas what’s going on?

Heino

Hi @heino.niemann1, I can’t reproduce this locally or with an online tool that can quickly query multiple providers and from different locations (including The Netherlands). I also can’t get a response from .2/.3.

I do see several different types of records for vodafone-ip.de. Is epdg.epc.drz1.vodafone-ip.de configured in your authoritative DNS? I don’t see a record for that.

epdg.epc.drz1.vodafone-ip.de is the ePDG of Vodafone Germany.
If we query (dig) other providers like google, opendns and also cloudflare 1.1.1.1 we get the expected response.

If we query the name by our Cloudflare Gateway Location IP we get no answer even though the query get logged as allowed.

I tested to resolve the name with this service DNS Checker - DNS Check Propagation Tool
It seems epdg.epc.drz1.vodafone-ip.de is only resolvable in Germany or from a German ip.

Is there any option in Cloudflare Gateway to specify the geolocation?

The query is logged as allowed since it did not match a policy to block it–in the logs the decision will list “allowed on no policy match.” That’s a little confusing and we’ll look at surfacing the response in the logs as well (we store this but don’t currently surface it in the UI).

To make it easy for customers to receive the best performance, we use AnyCast to route DNS queries to Gateway at the Cloudflare PoP nearest the user instead of using different IP addresses for different PoPs.

Ok and with AnyCast it is not guarantied that the authoritative DNS get the request from a German IP.
But why do I get always a correct resolve if I ask 1.1.1.1 is this just lucky coincidence?