When resolving for example ‘’ returns:

Non-authoritative answer:

which leads to the old scammers as in the subject. For the same query returns:

Non-authoritative answer:

which looks legit and works. <unserious> Has anyone at Cloudflare installed “DNSAdvantage” on their Windows and infected the the whole DNS service? </unserious> Seriously though - that looks like a glaring security issue, doesn’t it?

Wut? :confused:

1 Like

I take this is something along the “please elaborate more” lines (correct me if I am wrong) so I try rephrase. When having set as DNS on duty and trying to access the site under the name I provided ( - there’s more but this one noticed again recently) I get very correctly a security warning from the browser. Checking details shows that this is due to the old “” playing its MiTM trick. Changing DNS from to solves the problem in the sense that I get the correct site returned. Checking resolving responses from the two servers shows the reason: resolves to a different IP address (presumably correct one) and resolves to an IP address apparently serving the scammers.

dig @ +short

dig @ +short

This site appears to use geolocation in it’s DNS responses. Since doesn’t send client subnet to maintain user privacy it is common to receive different answers from other DNS providers which may send this data. I can’t speak to how or why you received a security warning.

Both those IPs resolve to what look like Akamai based IPs, so perhaps you have a piece of software or plugin which is detecting an issue (incorrectly?)

dig -x +short
dig -x +short

I received it because I was directed to an IP address, which served instead of what was requested through canonical name and therefore CN in the SSL certificate (although valid otherwise) didn’t match. I tried to find authoritative server and I could get only as far as cloudflare. This leads me to suspect that at least one of the entries is “tainted”

OTOH it theoretically might be a hacked server of theirs too, I guess. Do you have a way to verify the IP I gave in my first post?

They would need to validate it, but that IP address returns their certificate when curled…

curl -Iv --resolve
* Added to DNS cache
* Hostname was found in DNS cache
*   Trying
* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=US; ST=Colorado; L=Denver; O=London Trust Media Incorporated; CN=*
*  start date: Feb  7 23:52:13 2020 GMT
*  expire date: Feb 23 14:15:01 2021 GMT
*  subjectAltName: host "" matched cert's ""
*  issuer: C=US; ST=Arizona; L=Scottsdale;, Inc.; OU=

I see, thank you. Alerted them too.