How does get my anycast IPs?

I am testing out sites' TLS configuration with the SSL Testing service at www. ssllabs. com/ ssltest. I have typed in the hostnames and Somehow, SSLlabs is finding 4 IP addresses for each host, they seem to the correct since I get the cert I want for each of them. For example:

deadpool. turnitin. com
CNAME for legacy. turnitin. map. fastly. net,
Anycast IPs,,,

sac2. turnitin. com
CNAME for turnitin. map. fastly. net,,,,

The the apex A record for is

How do you suppose SSLlabs is deducing the anycast IP addresses for these, given the single IP linked to the CNAME? It can’t be from DNS (at least IPV4 DNS) Do you get these from anycast/BGP? IPV6 DNS?


(Sorry about the weirdly formatted host names. The forum SW thinks they are links and won’t let me post them.)


Hi @Wiley_Sanders

The DNS resolution for certain resolvers returns the anycast addresses. It’s likely SSL Labs is using one of those resolvers:

#google dns server
dig +short @

#level3 dns server
dig +short @

It’s like this because we’ve found that certain resolvers don’t always return the closest POP for a user when they query, but the anycast IPs will do the right thing when we return that for them.