I am running into problems connecting to workers and pages
It seems adding a custom domain to some of my pages and worker projects are now adding AAAA records into the IPv4 DNS records causing major problems for end users. Most ISPs do not yet support IPv6 but if they reach out to the IPv4 DNS they will now see CNAME and AAAA records and will attempt and fail to connect to our websites. Many users have to turn off WiFi on their devices to make this work. Unfortunately IPv6 cannot be turned off or controlled within cloudflare. How do I fix this? Examples are universalprofile.cloud and my.universalprofile.cloud
6 Replies
It seems adding a custom domain to some of my pages and worker projects are now adding AAAA recordsThat's how the Cf Proxy works, just automagically supports both V4/V6
Most ISPs do not yet support IPv6 but if they reach out to the IPv4 DNS they will now see CNAME and AAAA records and will attempt and fail to connect to our websites. Many users have to turn off WiFi on their devices to make this work.That's not how that works. Browsers know if they support IPv6 or not based on interfaces and such, and even if there is some confusion like the end users support IPv6 but it's broken, Browsers employ Happy Eyeballs, https://en.wikipedia.org/wiki/Happy_Eyeballs, racing IPv6 and IPv4 to mitigate such impact. You wouldn't see an error page just because V6 is broken, for example. Your issue is something else
So then the ipv4/6 setup is wrong on the machines of the affected users. I tried to force IPv6 on my setup and I can see the same failure. Ok cool! I had assumed that only the IPV6 endpoint of DNS should return AAAA records at all and not the IPv4 endpoint
Even if the ipv6 setup is wrong it would just fallback on modern browsers, unless you killed IPv4 too.
I had assumed that only the IPV6 endpoint of DNS should return AAAA records at all and not the IPv4 endpointYea, both IPv4/IPv6 DNS can return A & AAAA records
Hmm the user cannot connect to the site at all. All they get is a timeout. When they disable WiFi on their phone they can reach the site over LTE for example
They reach cloudflare sites on our other domains and they don't seem to have AAAA entries in DNS
kinda sounds like more of an ISP IP ban/block, espec if they're from one of those countries doing them (Russia, Iran, Egypt, Germany, etc), or perhaps something in their local network like a firewall
Your website was marked phising: https://radar.cloudflare.com/domains/domain/universalprofile.cloud so Cloudflare's Malware/Family DNS would be blocking it (by responding with 0.0.0.0 resulting in a timeout). Cloudflare Radar just largely pulls from other sources so likely more then just Radar
Hmmm maybe. I wonder why it got flagged. There was a flag for api.universalprofile.cloud which was fixed. Curious
Thanks for pointing it out. The api endpoint had a ipfs proxy which allowed fake html documents to be added to the domain by cid. This has been resolved. I tried to add a review for the root domain