nanog mailing list archives

Re: Cloudflare DNS contact?

From: Betsy Schwartz via NANOG <nanog () lists nanog org>
Date: Tue, 7 Apr 2026 22:11:04 -0400

Thank you all. I will reach out. I think we've disproved my first theory
about what the issue is.

Apologies for slow response,
(trouble came in threes this week!)


On Tue, Apr 7, 2026 at 12:05 PM Steve Sullivan via NANOG <
nanog () lists nanog org> wrote:

Hey Mark,

Steve at DNS-OARC reaching out. I sent a note to the OP recommending she
hit the OARC chat platform and mail list.

Cloudflare DNS is actually pretty active in the DNS-OARC Member and
at-large Community. Might want send these operational DNS questions to
the dns-operations mailing list and to https://chat.dns-oarc.net.

I try too when i see them, but I cannot read all the nanog mails.

I hope to see you at a workshop soon.

Kind regards,

Steve Sullivan
Membership Coordinator
OARC Mattermost Chat: @stevos
https://linktr.ee/dnsoarc

On 4/6/2026 9:49 PM, marka via NANOG wrote:

On 7 Apr 2026, at 12:08, Betsy Schwartz via NANOG<nanog () lists nanog org>

wrote:


We're getting reports of users trying to log in or request 2FA emails

from

Cloudflare sites (ex: California DMV) but seeing   errors that our

well.com

domain isn't recognized as valid.  Well.com  has been around since 1993

and

our primary DNS hasn't changed since perhaps 2012. . Excerpts appended

for

reference.

I strongly suspect these errors are related to a Cloudflare security

check

for valid email domains. Hoping someone here can validate or disprove
this.  If it's a Cloudflare issue, any contacts here?

When I poke at an open cloudflare DNS server and  look up the A for

well.com

I get a disturbing error: :
         server can't find well.com.well.sf.ca.us:

well.sf.ca.us is an antique  (but valid) A  record in  the sf.ca.us

zone

and has no business appearing here.  Did something drop a period or

CRLF

on a list somewhere?

Nslookup is NOT a good diagnostic tool.  Here it presumably tried

well.com

then tried well.com.well.sf.ca.us when the first query failed as you

have

well.sf.ca.us in the search list.  This is one of the reasons it is not

good diagnostic tool.  Also different versions of nslookup move onto to
applying the next name in the search list differently.  The only SAFE?

way

to do search lists is to ONLY move to the next name on NXDOMAIN (Name

Error).

Lots of search list implementations move to the next name in the search

list

on SERVFAIL (you can get data from the wrong name used),  NOERROR NODATA

(you

end up talking to different domains as IPv4 and IPv6 addresses

appear/disappear).


I would suggest that you use a diagnostic tool like 'dig' which doesn’t

do search

lists unless explicitly requested.

Additionally if you want help, show everything you are doing.  People

then have

a better chance of find errors in your testing methodology.

When I query AWS and Google DNS servers,  our DNS  looks correct and
unchanged
Thank you very much for any pointers!

Betsy

--
Correct info:

set type=any
well.com

Server:         8.8.8.8
Address:        8.8.8.8#53
Non-authoritative answer:
Name:   well.com
Address: 23.22.72.90
well.com        nameserver = ns-1783.awsdns-30.co.uk.
well.com        nameserver = ns-1103.awsdns-09.org.
well.com        nameserver = ns-805.awsdns-36.net.
well.com        nameserver = ns-459.awsdns-57.com.
well.com
        origin = ns-1103.awsdns-09.org
        mail addr = awsdns-hostmaster.amazon.com
<snip>
well.com        mail exchanger = 15 xmx.well.com.
<snip>
--
whois well.com
[Querying whois.verisign-grs.com]
   Domain Name: WELL.COM
   Registry Domain ID: 4562093_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.enom.com
   Registrar URL:http://www.enomdomains.com
   Updated Date: 2020-01-24T18:46:10Z
   Creation Date: 1993-01-25T05:00:00Z
   Registry Expiry Date: 2029-01-26T05:00:00Z
  <snip>
   Name Server: NS-1103.AWSDNS-09.ORG
   Name Server: NS-1783.AWSDNS-30.CO.UK
   Name Server: NS-459.AWSDNS-57.COM
   Name Server: NS-805.AWSDNS-36.NET
<snip>
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/6BU667JNHNF6XEW2G2MAVGZ5G5YCHREA/
_______________________________________________
NANOG mailing list

https://lists.nanog.org/archives/list/nanog () lists nanog org/message/DCLCRZ2QZ7ZERRSJW2TXPKQ22FISV6MJ/

_______________________________________________
NANOG mailing list 
https://lists.nanog.org/archives/list/nanog () lists nanog org/message/XICFG4OAF3ABPGRYRDIPE3RHISDYJMTW/

Current thread:

Cloudflare DNS contact? Betsy Schwartz via NANOG (Apr 06)
- Re: Cloudflare DNS contact? Alexander Huynh via NANOG (Apr 06)
- Re: Cloudflare DNS contact? Chris Adams via NANOG (Apr 06)
  - Re: Cloudflare DNS contact? Vinny Abello via NANOG (Apr 06)
- Re: Cloudflare DNS contact? marka via NANOG (Apr 06)
  - Re: Cloudflare DNS contact? Steve Sullivan via NANOG (Apr 07)
    - Re: Cloudflare DNS contact? Betsy Schwartz via NANOG (Apr 07)
- Re: Cloudflare DNS contact? Steve Sullivan via NANOG (Apr 07)