What is this IP address? How to disable sinkhole?

Hi I have set two domains almost identically. One about two months ago, one at today. The one I set two months ago works fine. If I ping the domain’s A record, it goes to the IP I set. If I ping an A record that I have not set up, it failed. But the one I set up today, something weird happened.

First, I can ping all the A records regardless if I have set up them or not. And All goes to the same IP address: 72.5.65.111. The ping message also says “PING sinkhole.paloaltonetworks.com (72.5.65.111): 56 data bytes”.

And my organization apparently banned this IP and I cannot access my website. I guessed this because another inaccessible website that I happened to come across also points to 72.5.65.111.

Then I recall that I clicked something called sink hole or similar when I setup this new domain. I navigated in the settings page for the domain for quite some time and cannot find where to turn that off. Any help would be much appreciated.

Best,
Roden

Not sure how this is Cloudflare related.

Did you have a typo and want to say “not” sure?

I set up the problematic domain in Cloudflare… If I set up an A record that points to a specific IP, why would it go to another IP instead?

And this weird IP has been mentioned here: http://www.thepacketwizard.com/blog/2018/09/07/palo-alto-dns-sinkhole/#:~:text=Palo%20Alto%20send%20these%20DNS,need%20a%20Threat%20Prevention%20License.

That’s precisely what I wanted to say.

What’s the domain in question?

py4e.cs4e.one

Thanks

(Did I misrecognize or you edited… that word)

I edited :wink:

That hostname is proxied, hence it will resolve to the proxy addresses. If you want the actual IP address you will need to make sure its record is set to :grey:.

Thanks. But I don’t think it is this problem. First, all my other domains have been proxied. And I don’t have this problem with those. If I ping those, it’s true that I will not get the target IP address. It will be some intermediate address. The point for the problematic domain is it is saying specifically PING sinkhole.paloaltonetworks.com (72.5.65.111): 56 data bytes. It has the word sinkhole there.

Also, now, it is through :grey:, but still, this problem happens.

How is that hostname related to your domain?

Oh, sorry. I might have mistaken some basic concepts… (internet newbie… )

No worries, hence my original question about the relation to Cloudflare.

paloaltonetworks.com is not on Cloudflare and the IP address you mentioned is the IP address of that hostname, so there shouldn’t be an issue. But it wouldn’t be related to Cloudflare.

Your network admin is likely running a Palo Alto firewall with some kind of DNS categorization feature. That feature has flagged the domain in question to sinkhole it %for reasons%. You will need to determine the cause and remediate it there.

The point is, two of my domains are both pointing to the same cloud provider (different VM size though). So, I got confused. I will check further. Many thanks

Maybe talk to your host or the person responsible for your network, but Cloudflare is not involved here.

Hi again, I believe this is Cloudflare-related. Or somewhere in the middle, I am under attack or something.

I set up a fresh new domain just now on Cloudflare. I accepted all the suggested security, minify, and compression settings. I have not set up anything else yet. If I ping kaustian.com, it says PING sinkhole.paloaltonetworks.com (72.5.65.111): 56 data bytes. If I ping test.kaustian.com or anything else, it says the same. How is that possible…

That address does not resolve at all.

Cloudflare does not control your local DNS resolution, so this is not a Cloudflare issue but something with your local network I am afraid. As I mentioned, you probably best discuss this with your network administrator.

Ah, okay, now I get the problem. It arises from my campus network. Never had this before. Sorry and thanks! (You may also delete this post as it might not help anyone else…)

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.