DNS Resolution Failure: How a 1.1.1.1 Update Accidentally Broke CNAME Record Ordering
A recent change to 1.1.1.1 accidentally altered the order of CNAME records in DNS responses, breaking resolution for some clients. This post explores the technical root cause, examines the source…
Read the full articleYou might also wanna read
GHSA-676x-f7gg-47vc: Netty Vulnerable to DNS Cache Poisoning via Missing Bailiwick Checks in CNAME Records
Netty's DNS resolver component (DnsResolveContext) fails to validate the origin (bailiwick) of CNAME records in DNS responses, leading to po
GHSA-5pvg-856g-cp85: Netty has Insufficient Bailiwick Validation for NS Records
Netty's DNS resolver component has a vulnerability due to insufficient bailiwick validation of NS records, allowing DNS cache poisoning. An

DNS - New DNS records UX is rolling out
Starting today, everyone can opt in to a refreshed DNS records page in the Cloudflare dashboard. Over the coming weeks, the new experience w

DNS - Account-level enforce DNS-only
You can now disable Cloudflare's reverse proxy across all zones in your account simultaneously using the new enforce_dns_only setting. When

A broken DNSSEC rollover took down .AL. Now 1.1.1.1 tells you when validation is bypassed
When a failed DNSSEC key rollover took down the .AL TLD, we deployed a Negative Trust Anchor to restore resolution. This time, though, clien

Cloudflare Tunnel, Cloudflare Tunnel for SASE - cloudflared proxy-dns command will be removed starting February 2, 2026
Starting February 2, 2026, the cloudflared proxy-dns command will be removed from all new cloudflared releases . This change is being made t

Comments
Sign in to join the conversation.
No comments yet. Be the first.