Presently when one defines an SRV record where the target host is a Cloudflare-proxied hostname within the same domain, a client lookup returns instead an automatically generated host of
dc-<id>.example.com in order to bypass the Cloudflare proxy for that service (a ‘shadow record’).
Although this may be advantageous in situations where users have set the record up without thinking about the nature of the traffic and whether Cloudflare will pass it upstream (e.g. SRV record for Minecraft server which Cloudflare clearly can’t proxy) there are situations where the defined record has been set to a Cloudflare-proxied hostname on purpose and you break things by simply changing it unnecessarily on us.
For example, an SRV record which is used to point to an HTTPS end-point could conceivably need to be set to target of
port 443 on a Cloudflare-proxied host
www.example.com. Changing this target to
dc-<id>.example.com could yield an unusable record as the backend won’t necessarily serve a valid cert for
dc-<id>.example.com, and the client may even drop all non-Cloudflare proxied traffic in the firewall, for example.
My opinion is that any SRV record where the target host/port combination may be proxied by Cloudflare should be returned completely as specified by the user, without any unnecessary conversion to a
It should be noted that this is already the behaviour where the target host is proxied by Cloudflare but is external to the domain hosting the SRV record: i.e. if I have two hosts (
www.example.org) both proxied by Cloudflare then I can set an SRV record on
example.com which points to port 443 on
www.example.org just fine! So this is nothing to do with there being a technical reason restricting your ability to have an SRV to point to Cloudflare-proxied hostnames, it’s just the logic as to when records are converted to
dc-<id>.example.com is screwy. Instead of converting record ‘when host is Cloudflare-proxied and in this domain’ (existing behaviour) it should be convert this record ‘when host is Cloudflare-proxied and port isn’t one we proxy’.