I believe they do not add the DNS IP 1.1.1.1 or any other to the list of
IPs because the list is of access IP addresses used make requests to
servers from their proxies backends.
Like, on the Cloudflare DNS for your domain you add a hostname record
pointing to one of your server's IP addresses and enable Cloudflare's
proxy on it, then Cloudflare will mask your IP address to external
queries on their 1.1.1.1 DNS server or your domain's assigned DNS server
from Cloudflare with one of the proxy server they assigned to your
record. Now when someone requests that hostname they will see the
Cloudflare Proxy IP assigned to the hostname and in the backend,
cloudflare will route the communication thru one of these IP addresses
on that list of IPs to your servers.
Example: Set firewalls /ACLs to only allow access from these IP
addresses to your webservers, so that only CLoudflare's proxied records
can connect to them.
Sincerely,
Jose
On 12/4/2023 1:53 PM, Randolf Richardson, Postmaster via mailop wrote:
Interestingly, 1.1.1.1, which is Cloudflare's famous public DNS
resolver, is not included in that list of IPv4 addresses:
IP Ranges | Cloudflare
https://www.cloudflare.com/ips/
Their main reference page (above) doesn't seem to mention it, but I
wonder if it might be prudent to whitelist it as well (in addition to
Cloudflare's official list) to ensure smoother operations overall.
Hello,
I believe you can enumerate cloudflare IPs via :
https://www.cloudflare.com/ips-v4
https://www.cloudflare.com/ips-v6
It's likely an overfit situation (not just resolvers), but it's something.
-tony
On 12/2/23 21:57, Arne Jensen via mailop wrote:
Always happy to help! And wauh, times flies by these days...
First of all - I completely agree with you, that several things could be
better here ;-).
Taking the four major ones, the top list, from best to worst, might be
like:
1. OpenDNS
2. Google
3. Quad 9/PCH
4. Cloudflare
Given your mention of "internal documentation", maybe there could be
something more for you to document, if you haven't already:
Google does, as mentioned previously, document their resolver
infrastructure on the Web, contrary to many others, but also with a JSON:
-> API/JSON: https://www.gstatic.com/ipranges/publicdns.json
OpenDNS is also documenting theirs, and also have PTR on the outgoing
resolver IP, but unfortunately, the PTR **doesn't always** point to one
of their OpenDNS.* domain names, which could be confusing:
Reaching OpenDNS Copenhagen:
- 146.112.135.70 (r7.compute.cph1.edc.strln.net)
- 2a04:e4c0:17::73 (r10.compute.cph1.edc.strln.net)
Reaching OpenDNS London:
- 208.69.34.73 (m53.lon.opendns.com)
- 2a04:e4c0:10::91 (r3.compute.lon1.edc.strln.net)
It is however consistent with their locations as retrieved from here:
-> Web: https://www.opendns.com/data-center-locations/
-> JSON:
https://umbrella-dns-requests.marketops.umbrella.com/api/data-center-locations
Currently, it seems very much a hit and miss, mostly miss, when reaching
any IP address with PTR records, through Quad 9. I haven't ever seen
Quad 9 document it like OpenDNS or Google.
With Cloudflare, I've never see any of their outbound resolver IP
addresses have any PTR records. I haven't ever seen Cloudflare document
it like OpenDNS or Google.
With the above possible ways to retrieve the OpenDNS and Google data,
you have the option to automate e.g. a weekly update of their resolver
addresses, if you feel for something like that in any way. ;)
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
mailop@mailop.org
https://list.mailop.org/listinfo/mailop
