Exposing of Origin Server IP with Nonproxied SRV Record
hey!
im kind of new to setting up a domain with Cloudflare and have a question that's been bugging me recently, and i just cant seem to find what im looking for online. if i have an A record for a subdomain on my website which is proxied through Cloudflare and an SRV record for the same subdomain for a tcp service that runs there, itll be unproxied with the free option for Cloudflare. theres this warning message that i get stating that the origin server ip proxied through cloudflare will be exposed. so if i dig the domain or simply ping it, ill get back the cloudflare ip. im wondering how i could actually find the true origin server ip (my server provider) as im warned.
thanks for reading
24 Replies
The normal CF Proxy only supports HTTP connections, so any others would just fail anyway.
If you point a SRV record at a proxied IP, CF creates a virtual A Record and points the SRV record at that. You just need to look up the srv record, not the domain.
What's the domain?
yeah, im aware. i can create the SRV record for a subdomain where tcp packets are sent to with some other software. the service works just fine.
im asking from a security standpoint now, if i have my domain proxied (mydomain.com) then a subdomain proxied (sometcp.mydomain.com) and finally an srv record for that same subdomain, i get that warning. please elaborate "looking up the srv record."
this is all for a client and i would need to first ask permission for sharing the domain, my apologies.
Sure, no worries.
You can find the format of SRV records here: https://www.cloudflare.com/learning/dns/dns-records/dns-srv-record/
With nslookup (windows), you would do something like:
nslookup -q=SRV _ldap._tcp.mydomain.com
With dig/linux
dig _ldap._tcp.mydomain.com srv
To break it down further, you have the service
_ldap, the protocol _tcp. The CF Dash DNS Records panel will show you the Name, and then you can just append that to the domain name to get the record to lookup.
What CF does when you point at a proxied hostname is create a virtual A record, for example, it might look something like
As such, your origin's real IP is fully exposed, it's just a bit harder to get per say. Clients who connect to that service would still look it up and connect directly to it
(of course, your service and protocol will vary, I was just using ldap and tcp as an example)thank you for your response.
my service is, in fact, tcp and with dig i am getting some data back but not an ANSWER. nslookup tells me it is a nonexistent domain, even though it is running and functional. however this srv was disabled until a few minutes ago due to this possible security risk and i have just brought it back online. is that a factor in not seeing this output? obviously if i do the same for the subdomain it is supposed to run on, i get back the correct Cloudflare IP.
if i put the subdomain in there (_myservice._tcp.tcpsubdomain.mydomain.com) i do get an ANSWER but no address as seen in your example.
iirc just recursive resolvers will do that, if you slap
@1.1.1.1 at the end of your dig command, do you see it?
But yea the subdomain is part of the name, I guess the dashboard kind of hides thoseat the very end?
dig _myservice._tcp.tcpsubdomain.mydomain.com srv @1.1.1.1yea, or if you get back the SRV Record response, it should contain the target at the end. Something starting with
_dc-srv if it's proxied. You could just manually look that up after
ahh I got it backwards, it's when you query the authoritive nameservers directly it includes the real value of the A record in the additional section, to try to speed things up I imagine. In the real world though, it would just query for the A/AAAA records of it afterI see
in regards to this, i do get back a
_dc-srv followed by some hex value the _myservice._tcp.tcpsubdomain.mydomain.com
what is it you suggest to do with this?Nice, take that and look that up, just the entire hostname ending with your domain, for example, it'd be something like
dig _dc-srv.hgigioghgioh.tcpsubdomain.mydomain.com
dig defaults to A/IPv4 if you don't specify
with any luck, you'll get back a response with the real IP of the srv record targetyep that worked
thank you so much for your cooperation
No problem. Yea, that's what clients do, only a lot quicker ;p and that's why it's warning you
this was really for personal learning. i would assume i should find a tcp security service and point a CNAME to that to point to my service, correct?
If you think such protection is necessary, then yea you should find some DDoS protection for it. Cloudflare offers Cloudflare Spectrum, but for arbitrary use/it not being really expensive $1/gb you need the Enterprise version.
the minimum is $1/gb?
Spectrum's non-enterprise version requires Pro or higher, is limited to Minecraft/rdp (requires biz)/ssh, and is $1/gb of bandwidth yea, pretty expensive
It's more of a trial, the Enterprise version gets any port and a custom contract/etc, but Enterprise pricing in general starts pretty high, few thousand a month (although it will vary). Worth it for some like Hypixel for example, but not too workable for small companies and personal use
Anyway for DDoS Protection the cheapest is usually generic protection offered by the host, like with vps/dedicated servers. OVH for example (although theirs isn't the best), iirc DigitalOcean has some for free, etc. For more specific protection, it gets more expensive.
If your service is Minecraft, TCPShield has a decent free plan
Otherwise gotta look around
i see. can i set this up with digitalocean without using them as an actual host?
all i need this for is tcp protocol ddos protection & ip hiding
Not sure how good their protection is, but in general you can. For example, using GRE Tunnels, like https://wiki.buyvm.net/doku.php/gre_tunnel
I haven't worried about non-http ddos protection for a while. Path.net has some application specific filters, can find some resellers like buyvm who use them and use their protection (it's who that guide is from).
It'll add latency though.
Like I said though, you might want to look around. It's helpful the more specific the protection is, if you're using a specific protocol or game, a specific ddos protection has a filter for it, you'll have better results. See what other people use for the same service, etc.
It might be a bit overkill in general though unless you really think you're going to get attacked
Anyway, that's all unrelated to CF
i understand. would it be alright to post here in the future with any questions, if it's no burden for you?
otherwise thank you so much for your help today.
If it's anything CF related absolutely, for anti-ddos stuff I'm just not well informed on it. Back in the day I used OVH Anti-DDos Stuff and it worked ok against some minor attacks, and no latency since they are the host, but I have heard since then and know there are ways around their anti-DDoS. For example, traffic coming from within their own network isn't filtered. So I'm just not too sure, and it varies a fair bit by service as well. If it's not game server anti-ddos / you have some budget, there are a lot of Enterprise DDoS Solutions, like CF Spectrum/Magic Transit, of which I also don't know much about other then they protect. If it game server anti-ddos, there's lots of content out there about specific games and such if you Google
All of that stuff is a bit of a weird landscape with people always claiming there are ways around, and inevitability there will be, even with filters made for specific games, if the DDoS Traffic conforms to that game's protocol, then not much more you can do without true application protection like TCPShield has for Minecraft where players literally connect to it first (as a full minecraft server, it handles auth and all) and it proxy the connection (kind of like Cloudflare's http protection)
sure, ill do some searching into this with OVH and buyvm for this project of mine for a client. unfortunately, it's not minecraft; however, that might come in useful for a personal minecraft server lol
thanks again
buyvm isn't really a production/enterprise host lol, path.net is though, and they have other resellers like their own tempest hosting. Not too much experience with them though, but at the very least I wouldn't use buyvm for commercial use. Their guide is good though
no problem, best of luck 
i see. thanks
one last question, this thread wont be going anywhere, correct? i should be able to refer back to it in the future?
Yea threads/posts stick around forever, it'll drop off the active list at some point but it'll never be deleted (or even closed, at least right now)
great