OpenDNS blocks connection to trycloudflare, used in Cloudflared Tunnels

What is the name of the domain?

DNS Issues

What is the issue you’re encountering

OpenDNS can’t connect to Cloudflared free tunnel

What steps have you taken to resolve the issue?

When spinning up a tunnel with Cloudflared using subdomain.trycloudflare.com, I can connect to it on my PC, but my coworker on mac cannot. He’s using OpenDNS. I can confirm that if he changes DNS to 1.1.1.1 he can connect.

dig spectacular-attempting-bigger-chile.trycloudflare.com

; <<>> DiG 9.10.6 <<>> spectacular-attempting-bigger-chile.trycloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8420
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1410
;; QUESTION SECTION:
;spectacular-attempting-bigger-chile.trycloudflare.com. IN A

;; AUTHORITY SECTION:
trycloudflare.com.	1374	IN	SOA	kevin.ns.cloudflare.com. dns.cloudflare.com. 2353366664 10000 2400 604800 1800

;; Query time: 20 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Wed Oct 02 09:03:11 MDT 2024
;; MSG SIZE  rcvd: 142

scutil --dns | grep 'nameserver\['

nameserver[0] : 208.67.222.222
  nameserver[1] : 8.8.8.8
  nameserver[0] : 127.0.0.1
  nameserver[0] : 208.67.222.222
  nameserver[1] : 8.8.8.8

dig @1.1.1.1 spectacular-attempting-bigger-chile.trycloudflare.com

; <<>> DiG 9.10.6 <<>> @1.1.1.1 spectacular-attempting-bigger-chile.trycloudflare.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6378
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;spectacular-attempting-bigger-chile.trycloudflare.com. IN A

;; ANSWER SECTION:
spectacular-attempting-bigger-chile.trycloudflare.com. 300 IN A	104.16.230.132
spectacular-attempting-bigger-chile.trycloudflare.com. 300 IN A	104.16.231.132

;; Query time: 13 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Wed Oct 02 09:05:19 MDT 2024
;; MSG SIZE  rcvd: 114

We can see by comparing the two digs that in the first one, there was a NXDOMAIN error, and in the second it worked:

OpenDNS:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 8420

Cloudflare DNS:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6378

After 10 minutes or so the DNS resolved for him, so it was a matter of timing/DNS propagation.

I was actually able to reproduce this on my own system for the first time. After a couple of minutes it started resolving…

Is it possible to avoid this?

Should be this :point_up: , therefore it could be either the DNS cache at your or his local ISP, otherwise on the device DNS cache itself.

Regular DNS propagation time usually takes up to 24-48 hours to complete.

The DNS changes are fast at Cloudflare, however related to the TTL it might take some minutes to apply and be active.

I am afraid not.
I’d give it a try with different Web browser, clear cache and data, flush the local cache at device, restart router, try out in Incognito Mode (Private Window), use a mobile data (4G LTE), or even try with a VPN provider/service.

Regular DNS propagation time usually takes up to 24-48 hours to complete.

I get it, but for disposable temporary tunnelling subdomains this shouldn’t happen, right?

TTL of 5min (300s) is default for proxied :orange: DNS records, including CNAME of the created cloudflared tunnels.

Could be it was immediately on 1.1.1.1 DNS, however took it a bit longer on OpenDNS.

It may take longer than 5 minutes for you to actually experience record changes, as your local DNS cache may take longer to update.

Got it, can I get around it for *.trycloudflare.com, or does subdomain are always bound to these DNS rules?

I also considered requiring 1.1.1.1 as a fallback DNS, but that still didn’t resolve it. I had to set it as the primary DNS.

Might be OpenDNS should be manually triggered to flush the cache and re-consider the new sub-domain? :thinking:

I also start having the same problem on my machine, and I’m using Starlink/Google DNS

Google has similar tool:

Cloudflare has it as well:

It might be multiple things, however I remember at school, I was on 1.1.1.1/1.0.0.1 always on my device. Any changes I’d made for my domains, I’d see immediately, while any other user/device would have to wait up to 30mins to see the new DNS record being propagated.

OpenDNS shouldn’t block connection, however apparently it might not see those changes immediately, therefore there was NXDOMAIN error presented.

On 1st time browser refresh, you’d get it, on 2nd not anymore - DNS cache.

I can confirm that OpenDNS is not blocking, but it does take a couple of minutes for the newly tunnelled connection to be resolved. Even when changing to Cloudflare DNS it might still take a little bit. Is there any way to get around this, like a wildcard on *.trycloudflare.com…?

There’s also the option to use persistent tunnels, but for my use case it would be really good to use temporary ones, if they could resolve fast…

I am afraid not possible.

Reading this makes me question your intentions a bit, hopefully not in some harmfull or abusing way? :thinking:

Reading this makes me question your intentions a bit, hopefully not in some harmfull or abusing way? :thinking:

:sweat_smile: No need to worry. It’s for automated tests using disposable test environments.

1 Like

Question: Can I use dig the IP of the temporary domain directly from Cloudflare and use the domain as my site URL instead of the temporary subdomain?