How does SSLlabs.com get my anycast IPs?


#1
I am testing out sites' TLS configuration with the SSL Testing service at www. ssllabs. com/ ssltest. I have typed in the hostnames deadpool.turnitin.com and sac2.turnitin.com. Somehow, SSLlabs is finding 4 IP addresses for each host, they seem to the correct since I get the cert I want for each of them. For example:

deadpool. turnitin. com
CNAME for legacy. turnitin. map. fastly. net, 151.101.41.154:
Anycast IPs 151.101.129.154, 151.101.193.154, 151.101.1.154, 151.101.65.154

sac2. turnitin. com
CNAME for turnitin. map. fastly. net, 151.101.42.133:
151.101.2.133, 151.101.66.133, 151.101.130.133, 151.101.194.133

The the apex A record for turnitin.com is 184.31.166.167.

How do you suppose SSLlabs is deducing the anycast IP addresses for these, given the single IP linked to the CNAME? It can’t be from DNS (at least IPV4 DNS) Do you get these from anycast/BGP? IPV6 DNS?

Curiously,
w

(Sorry about the weirdly formatted host names. The forum SW thinks they are links and won’t let me post them.)


#2

Hi @Wiley_Sanders

The DNS resolution for certain resolvers returns the anycast addresses. It’s likely SSL Labs is using one of those resolvers:

#google dns server
dig +short @8.8.8.8   deadpool.turnitin.com
151.101.1.154
151.101.65.154
151.101.129.154
151.101.193.154

#level3 dns server
dig +short @209.244.0.3   deadpool.turnitin.com
151.101.61.154

It’s like this because we’ve found that certain resolvers don’t always return the closest POP for a user when they query, but the anycast IPs will do the right thing when we return that for them.