DNS Proxy for multi-level CNAME

I'm looking into using the Cloudflare WAF in front of a web application where my DNS is already hosted authoritatively as part of an account on the free tier in Cloudflare. I can't figure out from the documentation if what I'm trying to do is supported.

There are two scenarios (based on DNS records):

staff.env.mydomain.com

staff.env.mydomain.com

(CNAME) ->

resourceName.mydomain.com

resourceName.mydomain.com

(A)

staff.prod.externaldomain.com

staff.prod.externaldomain.com

(CNAME - not in Cloudflare) ->

prod.mydomain.com

prod.mydomain.com

(CNAME) ->

resourceName.mydomain.com

resourceName.mydomain.com

In testing scenario #1, I enable "Proxied" feature on the

resourceName.mydomain.com

resourceName.mydomain.com

(A) record, however I don't see traffic in Cloudflare Analytics, and my test IP block rule doesn't fire.
Is this is a supported configuration?

If I set

staff.env.mydomain.com

staff.env.mydomain.com

(CNAME) to "Proxied" directly, then I get a warning about "Advanced Certificate Manager being necessary, which I haven't got to testing yet; and this wouldn't be possible in my scenario #2 where the actual hostname is external to me as it is.

My hope was to enable Proxied on my resource A record and get at least some of the features of the WAF working.

JJadus I'm looking into using the Cloudflare WAF in front of a web application where my...

Chaika•12/8/24, 9:25 PM

staff.env.mydomain.com (CNAME) -> resourceName.mydomain.com (A)

Need Adv Cert to cover subdomain to deep, wildcard universals only cover first level. You could do or directly

staff.env.mydomain.com

staff.env.mydomain.com

staff.prod.externaldomain.com (CNAME - not in Cloudflare) -> prod.mydomain.com (CNAME) -> resourceName.mydomain.com

Need Cf For SaaS (ssl/tls -> custom hostnames, first 100 free, then it's $0.10 per custom hostname over the 100 you get for free)
https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/

In testing scenario #1, I enable "Proxied" feature on the resourceName.mydomain.com (A) record, however I don't see traffic in Cloudflare Analytics, and my test IP block rule doesn't fire.
Is this is a supported configuration?

Sounds like DNS Cache

If I set staff.env.mydomain.com (CNAME) to "Proxied" directly, then I get a warning about "Advanced Certificate Manager being necessary, which I haven't got to testing yet; and this wouldn't be possible in my scenario #2 where the actual hostname is external to me as it is.

CF for SaaS takes care of issuing the external certificate. Adv. certs takes care of internal cert.

One big disclaimer though:

resourceName.mydomain.com

resourceName.mydomain.com

will see the original hostnames of

staff.env.mydomain.com

staff.env.mydomain.com

and

staff.prod.externaldomain.com

staff.prod.externaldomain.com

and needs to be able to handle traffic for those hostnames.
Additionally, if this was a Pages Project or R2 Custom Domain, CF for SaaS is already used internally so you can't layer it twice

You could also just do instead of

staff.env.mydomain.com

staff.env.mydomain.com

and not need to pay for adv cert manager. When you're pointing CNAMEs in the same account, CF cheats and jumps to the target of the destination record since it knows it. You can't point external domain CNAMEs to CF accounts without CF For SaaS/Custom Hostnames

Cloudflare Docs

Configuring Cloudflare for SaaS · Cloudflare for Platforms docs

Get started with Cloudflare for SaaS

JadusOP•12/9/24, 8:56 PM

Thanks for the response Chaika, I appreciate it. From your response the scenario #1 test I gave with Proxied "resource A record" should work (?) but it definitely doesn't, and it isn't a DNS cache issue.

I've read up on the docs of Cloudflare for SaaS but it sounds like the limitations of a single "Fallback origin" will be too restrictive unless I look at an Enterprise plan; this is because the scenario is for multiple different types of

staff.prod.externaldomain.com

staff.prod.externaldomain.com

which need to be routed to different origins. This is why I was questioning the use of Partial CNAME configuration instead.

gabrielkctudo•12/12/24, 1:05 PM

Hello!
I having the same trouble with the cloudflare.
I created a list of blocked IPs, i can't block test IPs outside of our enviroment.