Hi Nathan and everyone ,
Usually canary token alerts only contain one “Source IP” IP address when i get them.
When I test canary tokens from one particular computer the alert always contains 2 comma separated IP addresses in the “Source IP” line.
The first IP address is the “correct” external IP - and the second IP address is always a cloudflare IP address.
If I go to dnsleaktest then I often see the exact same second IP as the DNS server according to the test.
But I can not make queries via dig or nslookup to that IP - they just timeout.
So I can’t use that IP as a DNS server even if I wanted to.
The computer is connected to a router with a wireguard vpn client .
Cloudflare is not setup to be my DNS provider and the router should not be using DNS over TLS.
So, - is that second IP address a DNS leak? Is it the DNS server that the wireguard server specifies? Or is it some kind of cloudflare CDN thing?
I am curious both for myself and in case this happens for real - when I am not testing the web bug canary token .