Are the DNS CNAMEs set in CF when using wildcard certificate public info?

This may be a dumb question, but I have a wildcard certificate from Let’s Encrypt and have configured my DNS records as follows with nginx backend:

A | domain.tld | my IP (proxied)
CNAME | * | domain.tld (proxied)
CNAME | test.domain.tld | domain.tld (not proxied)

I want to use test.domain.tld for streaming video and not break TOS with the free plan.

However, I was wondering if these CNAME configs is “leaked” similiar to how the wildcard SSL cert is public knowledge? Or are these CNAMEs completely obfuscated behind cloudflares own servers so that someone would have to guess test.domain.tld similiar to the other services I run behind the wildcard DNS?

Sorry for the duplicate post, realized afterwards that I didn’t specify a topic.

Welcome to the Cloudflare Community. :logodrop:

The configuration you show will not work as ypu hope. You have a DNS Only CNAME pointed at a proxied hostname. That will result in a proxied connection and will cause the ToS violation thatbyou thought you were avoiding. You need to use an A record for what you are trying to do and it will expose your origin IP.

You may benefit from this brief explainer.

Proxied CNAMEs are actually published as synthetic A and AAAA records of Cloudflare proxy IPs. DNS Only CNAMEs are puished as CNAME records.

Thank you! I figured it wasn’t proxied since I see my IP when pinging test.domain.tld. Is there a good way to test if a given subdomain is proxied through CF?

I suppose I’ll just leave everything as DNS only then and deal with it on my reverse proxy!

You don’t need to leave everything DNS Only. You just can’t point a DNS Only CNAME at a proxied hostname since it will resolve to Cloudflare proxy IPs.

There are multiple ways to identify whether a hostname is proxied. The most obvious is the IPs, but you can also view headers that will provide that indication.