{"id":2603,"date":"2019-10-22T17:00:03","date_gmt":"2019-10-22T09:00:03","guid":{"rendered":"https:\/\/www.mondoze.com\/guide\/?post_type=kb&p=2603"},"modified":"2022-10-05T08:02:50","modified_gmt":"2022-10-05T00:02:50","slug":"warning-about-exposing-your-origin-ip-address-via-dns-records","status":"publish","type":"kb","link":"https:\/\/www.mondoze.com\/guide\/kb\/warning-about-exposing-your-origin-ip-address-via-dns-records","title":{"rendered":"Warning about exposing your origin IP address"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t

Warning about Exposing your Origin IP Address<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t
\n\t\t\t\t

When you have grey-clouded DNS records, Cloudflare may warn you that your DNS records might reveal your origin server\u2019s IP address. This is most common with A, AAAA, CNAME, and MX DNS records.<\/em><\/p>

Overview<\/strong><\/h3>

When your DNS records are orange-clouded, Cloudflare speeds up and protects your site.<\/p>

A\u00a0dig<\/em> query against your orange-cloud root domain returns a Cloudflare IP address. This way, your origin server\u2019s IP address remains concealed from the public. Remember that orange cloud benefits only apply to HTTP traffic.<\/p>

Under certain circumstances, the\u00a0DNS Records<\/strong>\u00a0panel in the Cloudflare dashboard\u00a0DNS<\/strong> app displays a warning whenever you have grey-clouded DNS records that may expose your origin server\u2019s IP address. This warning does not block, or in any way affect, traffic destine to your site.<\/p>

When your server\u2019s IP address is expose, your server is more vulnerable to direct attacks.<\/p>

Below are two cases where you might see an IP exposure warning from Cloudflare.<\/p>

Case 1 – DNS records that should be orange-clouded<\/strong><\/h3>

If you see the following warning:<\/p>

This record is exposing your origin server\u2019s IP address. To hide your origin IP address, and increase your server security, click on the grey cloud to change it to orange.<\/em><\/p>

Cloudflare recommends orange-clouding the record so that any dig query against that record returns a Cloudflare IP address and your origin server IP address remains concealed from the public.<\/p>

To take advantage of Cloudflare\u2019s performance and security benefits, we recommend you orange-cloud DNS records that handle HTTP traffic, including A, AAAA, and CNAME. Do not orange-cloud MX records.<\/p>

Case 2 – DNS records that need to be grey-clouded<\/strong><\/h3>

When you have a grey-clouded\u00a0A<\/em>,\u00a0AAAA<\/em>,\u00a0CNAME<\/em>, or\u00a0MX<\/em>\u00a0record pointing to the same origin server hosting your site, Cloudflare displays one of the following warnings:<\/p>

An A, AAA, CNAME, or MX record is pointed to your origin server exposing your origin IP.<\/em><\/p>

This record is exposing your origin server\u2019s IP address, potentially exposing it to denial of service.<\/em><\/p>

Wildcard “*<\/strong>” DNS records can only be proxied to Cloudflare for domains on the Enterprise plan. For all other plans, a wildcard DNS record reveals the origin IP.<\/p>

A\u00a0dig<\/em>\u00a0query against these records reveals your origin server\u2019s IP address. This information makes it easier for potential attackers to target your origin server directly.<\/p>

However, there are times when some of your DNS records need to remain grey-clouded. For example:<\/p>