Correct, 1.1.1.1 is the anycast address that clients use. The resolvers behind that anycast address will be part of the listed IP addresses.
Servers will not see the query coming from 1.1.1.1. Regards, Graeme Slogrove -----Original Message----- From: mailop <mailop-boun...@mailop.org> On Behalf Of Jose Morales Velazquez via mailop Sent: Tuesday, December 5, 2023 9:12 AM To: mailop@mailop.org Subject: Re: [mailop] New Google DNS Servers? 192.178.65.0/28 NO PTR records.. anyone? Brandon? ----------------------------------------------------------------------------------------------------------------------------------------- CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. ----------------------------------------------------------------------------------------------------------------------------------------- I believe they do not add the DNS IP 1.1.1.1 or any other to the list of IPs because the list is of access IP addresses used make requests to servers from their proxies backends. Like, on the Cloudflare DNS for your domain you add a hostname record pointing to one of your server's IP addresses and enable Cloudflare's proxy on it, then Cloudflare will mask your IP address to external queries on their 1.1.1.1 DNS server or your domain's assigned DNS server from Cloudflare with one of the proxy server they assigned to your record. Now when someone requests that hostname they will see the Cloudflare Proxy IP assigned to the hostname and in the backend, cloudflare will route the communication thru one of these IP addresses on that list of IPs to your servers. Example: Set firewalls /ACLs to only allow access from these IP addresses to your webservers, so that only CLoudflare's proxied records can connect to them. Sincerely, Jose On 12/4/2023 1:53 PM, Randolf Richardson, Postmaster via mailop wrote: > Interestingly, 1.1.1.1, which is Cloudflare's famous public DNS > resolver, is not included in that list of IPv4 addresses: > > IP Ranges | Cloudflare > https://www.cloudflare.com/ips/ > > Their main reference page (above) doesn't seem to mention it, but I > wonder if it might be prudent to whitelist it as well (in addition to > Cloudflare's official list) to ensure smoother operations overall. > >> Hello, >> >> I believe you can enumerate cloudflare IPs via : >> >> https://www.cloudflare.com/ips-v4 >> https://www.cloudflare.com/ips-v6 >> >> It's likely an overfit situation (not just resolvers), but it's something. >> >> -tony >> >> On 12/2/23 21:57, Arne Jensen via mailop wrote: >>> Always happy to help! And wauh, times flies by these days... >>> >>> First of all - I completely agree with you, that several things >>> could be better here ;-). >>> >>> Taking the four major ones, the top list, from best to worst, might >>> be >>> like: >>> >>> 1. OpenDNS >>> 2. Google >>> 3. Quad 9/PCH >>> 4. Cloudflare >>> >>> Given your mention of "internal documentation", maybe there could be >>> something more for you to document, if you haven't already: >>> >>> Google does, as mentioned previously, document their resolver >>> infrastructure on the Web, contrary to many others, but also with a JSON: >>> >>> -> API/JSON: https://www.gstatic.com/ipranges/publicdns.json >>> >>> OpenDNS is also documenting theirs, and also have PTR on the >>> outgoing resolver IP, but unfortunately, the PTR **doesn't always** >>> point to one of their OpenDNS.* domain names, which could be confusing: >>> >>> Reaching OpenDNS Copenhagen: >>> - 146.112.135.70 (r7.compute.cph1.edc.strln.net) >>> - 2a04:e4c0:17::73 (r10.compute.cph1.edc.strln.net) >>> >>> Reaching OpenDNS London: >>> - 208.69.34.73 (m53.lon.opendns.com) >>> - 2a04:e4c0:10::91 (r3.compute.lon1.edc.strln.net) >>> >>> It is however consistent with their locations as retrieved from here: >>> >>> -> Web: https://www.opendns.com/data-center-locations/ >>> -> JSON: >>> https://umbrella-dns-requests.marketops.umbrella.com/api/data-center >>> -locations >>> >>> Currently, it seems very much a hit and miss, mostly miss, when >>> reaching any IP address with PTR records, through Quad 9. I haven't >>> ever seen Quad 9 document it like OpenDNS or Google. >>> >>> With Cloudflare, I've never see any of their outbound resolver IP >>> addresses have any PTR records. I haven't ever seen Cloudflare >>> document it like OpenDNS or Google. >>> >>> With the above possible ways to retrieve the OpenDNS and Google >>> data, you have the option to automate e.g. a weekly update of their >>> resolver addresses, if you feel for something like that in any way. >>> ;) >>> >> _______________________________________________ >> mailop mailing list >> mailop@mailop.org >> https://list.mailop.org/listinfo/mailop > _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop Email secured by Trustwave advanced threat protection. Learn more at https://trus.tw/mailmarshal This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
