Workers and DNS

Hello,

I am developing a tool using Workers and am having success thus far.

As I need to be able to get only IPv4 or IPv6 answers, I’ve had to create two sets of unproxied subdomain that contain only A or AAAA records. The IP addresses were obtained by digging against myworker-myworkers-workers-dev (I’ve had to replace dots with hyphens due to being a new Community user).

This is how my DNS management dashboard looks at the moment:

Type  Name         Content                        TTL  Proxy Status
A     ipv4         172.67.203.22                  Auto DNS only
A     ipv4         104.21.82.143                  Auto DNS only
AAAA  ipv6         2606:4700:3035::ac43:cb16      Auto DNS only
AAAA  ipv6         2606:4700:3030::6815:528f      Auto DNS only
CNAME mydomain-com myworker-myworkers-workers-dev Auto Proxied
CNAME www          myworker-myworkers-workers-dev Auto Proxied

All my Workers’ Routes are set up and everything is functioning as expected.

However, I’m trying to understand what’s going on with the associated DNS records and have a number of questions to hopefully avoid any pitfalls further down the line:

  1. Why, when I dig against proxied and flattened CNAME root (mydomain-com) or the proxied CNAME (www), do I get different IP addresses returned than when I dig against myworker-myworkers-workers-dev? As they’re both aliases of myworker-myworkers-workers-dev, I was expecting to see them resolve to the same IP addresses.

For example:

dig A mydomain-com +short
172.67.152.7
104.21.32.121

dig A myworker-myworkers-workers-dev +short
172.67.203.22
104.21.82.143
  1. Is it better to have DNS only subdomains resolve to the IP addresses resolved by mydomain-com/www-mydomain-com or myworker-myworkers-workers-dev?

  2. Are the IP addresses in either the proxied responses for mydomain-com or www-mydomain-com or the responses for myworker-myworkers-workers-dev ever subject to change and if so, how often?

  3. Rather than employ some automation to track the changes and update - if that is necessary (dependent on the answer to question 3 above) - do Cloudflare offer an alternative product or service that provide either IPv4-only or IPv6-only responses?

  4. Are the IPs returned in any of the responses (IPv4 or IPv6) for either mydomain-com or myworker-myworkers-workers-dev all anycast addresses and always the same regardless of location?

Regards,

Ben

It is not really clear what you are trying to do. Is there a reason you need IPv6 or v4 only in DNS?

For the two proxied records, you can put in a dummy record. I like to use a AAAA record pointing to ::. So long as it’s :orange: it does not really matter what is in there. (Just don’t use RFC 1918 addresses or they will be forced :grey:)

All DNS results for :orange: records are subject to change at random, without notice, and to any value. They might also be withdrawn, blackholed, rerouted, etc. Manually trying to manage and maintain is probably not recommended for a production domain. It generally does not matter what Cloudflare addresses are used, as they will all respond to any hostname that is active in Cloudflare, but it could go horribly wrong.

Hi Michael,

Many thanks for your swift response.

Yes, without going in to detail (but something along the lines of ipify.org) there is a reason I need IPv4 and IPv6 only responses. I know I can do what I require with GCP, for example, but I want to take advantage of the Cloudflare platform and build it with Workers.

As mentioned, although it works as expected, I wanted to have a level of certainty over the expected behaviour of the DNS records associated with my Workers. Particularly, I am curious as to why the Worker itself resolves to one set of IPs (which I reused for my two subdomains) but the flattened CNAME for mydomain-com and www - both proxied - resolves to another set.

Anything proxied will return the addresses that your zone is assigned. The CNAME target wouldn’t be relevant unless you’re using our SSL for SAAS feature. (ENT)

No, we don’t ever recommend hardcoding IPs and you won’t be able to guarentee that they won’t change unless you specifically contract for static IP. (ENT) I can appreciate that it usually won’t break anything, but proceed @ your own risk that it will break in the future.

yes, @ our descretion.

Yes