Canary token alert contains _two_ "Source IP" addresses

Hi Nathan and everyone ,

Usually canary token alerts only contain one “Source IP” IP address when i get them.
But -
When I test canary tokens from one particular computer the alert always contains 2 comma separated IP addresses in the “Source IP” line.

The first IP address is the “correct” external IP - and the second IP address is always a cloudflare IP address.
If I go to dnsleaktest then I often see the exact same second IP as the DNS server according to the test.
But I can not make queries via dig or nslookup to that IP - they just timeout.
So I can’t use that IP as a DNS server even if I wanted to.

The computer is connected to a router with a wireguard vpn client .
Cloudflare is not setup to be my DNS provider and the router should not be using DNS over TLS.

So, - is that second IP address a DNS leak? Is it the DNS server that the wireguard server specifies? Or is it some kind of cloudflare CDN thing?

I am curious both for myself and in case this happens for real - when I am not testing the web bug canary token .

Cheers -alsunseri

Our servers are behind Cloudflare. Sometimes you will see their IP.

Thank you for answering so quickly - kept me from pulling my hair out or wiping out the firmware on the GL.iNet router.

I tested it with curl on GCP and AWS vms and get the same kind of results .

So this makes sense - but it also means that the dnsleaktest results are wrong.
Anyway - thanks again - now if I can find that “solved” button…