Windows DNS Server vs Proxied ANames

I’ve tried searching the community and haven’t come up with anything, we have AName records, proxied, for devices to register to, most customers are working fine but one with Windows DNS servers, it seems like the DNS server is resolving the name via NSLookup and then, is sending traffic to the proxy, the band-air was to just apply the AName in the windows DNS server and it’s been years since I’ve been in one, but does anyone have any advice on getting Windows DNS Servers (unsure of version, sorry) to just send traffic to the DNS name and not the IP it “thinks” it is? The PCAP show it resolving, then show it sending the registration to the proxy IP, as soon as I remove proxying, it works, but we don’t want to expose the IPs and it worked before… mostly I’m hoping someone has encountered this and may have some advice?

It is not clear what the problem you are having is.

Do you mean to say ANAME, or is that a typo? ANAME records are not widely supported, potentially because the draft proposed standard stalled a while ago.

In Cloudflare terminology, ANAME at the root is called DNS Flattening.

Are you referring to the Cloudflare Proxy, or some other proxy?

Is the DNS entry you are referring to at the root such as example.com, or is it in a host like registration.example.com?

DNS servers just resolve DNS entries. The subsequent application traffic does not go anywhere near the DNS server.

Are your Windows servers authorative for the same domain that you are using on Cloudflare? (i.e. split brain DNS).

In CloudFlare drop down for type, it’s “A” if that helps?

Yeah, CloudFlare proxy, and I know that is what DNS “does” but the weirder part is may how MS DNS Server is resolving the name, it gets the three CloudFlare proxied IPs and then sends the traffic to them…I will freely admit I don’t fully understand how the proxied setting works, but, for example, when I type group1.cloudflare.com into a browser, it loads the page, but with this Windows DNS Server site, it won’t, it will truly believe the IP address of the site is the cloudflare proxied IP, it does try all four from the logs, but never the “actual” IP

It’s a subdomain, so lets say we’re “cloudflare.com” we have sub domains for each different group, so like group1.cloudflare.com, group2.cloudflare.com etc… there is a light variation to where each one points, but it’s over 4 different IPs hosted in the same environment and everyone else is able to hit us fine.

I’m just trying to figure out if this is a random MS DNS Server thing and if anyone has witnessed / experienced this before… I had opened a ticket with cloudflare support, however because it’s not technically an issue with CloudFlare but the customer setup they offered some advice (which was very helpful) but unfortunately can’t proceed with support cause the cloudflare setup is actually working and it’s something within their environment

That is just A. ANAME is something else entirely.

If the dns entry for an A (or AAAA) record is :grey:, then your local DNS server will just return the IP address you configured on the dashboard.

$ dig +short mail.communitymvp.cf
192.0.2.1

If the DNS entry is :orange: then Cloudflare will return two or three addresses (actually, its two or three IPv4 addresses and two or three IPv6 addresses). Those addresses will be the IP addresses for Cloudflare. When the client or application connects to one of those Cloudflare addresses, then Cloudflares servers will proxy the requests to the address you configured on the Cloudflare dashboard. The user never has knowledge of, or makes a connection to the Origin IP address directly.

$ dig +short orange.communitymvp.cf
104.21.25.241
172.67.134.236

Is the registration traffic HTTP(S) or some other protocol? Only certain ports are available in CF, and all traffic needs to be HTTP. (Unless you have Spectrum or Magic Transit)

1 Like

What I meant by “not understanding” was like, I get the pictures, all our A records are pretty orange clouds, and when I do an NSLOOKUP on any, I tend to get four IPs which are all the proxied IPs CloudFlare sends, all that, great… what I seem to be missing, is about 85% of our A records, the users who route there are working fine and have 0 issues, but there’s this one location using a Windows DNS Server to resolve and it is always sending the devices to the proxied IP… I mean I know it’s something with that Windows DNS Server but I’m just stuck on how it’s not able to actually get the "correct’ IP when routing the traffic, ports same across the board

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.