CF Script injection with Proxy off!

I was suprised to see cloudflare’s bot fighting script was being injected even for a subdomain that has proxy disabled! How is this even possible? Confirmed DNS resolves directly to my server IP.

Turning OFF the script injection on the bot fight settings removed it.

This baffles me. Can anyone explain?

Is the subdomain a CNAME that points to a proxied hostname?

A :grey: CNAME that points to an :orange: hostname is proxied.

It is a cname, but to a non proxy subdomain. when I dig the subdomain in question i get the actual IP of the server hosting the content (and i see the cname too). It really baffles me how there could still be an injection happening if the dns resolves directly to the server.

Can you share the FQDN of the hostname in question?

Nevermind, I figured it out. I knew there was NO WAY for that injection if the DNS was properly resolving direct. That led me deeper into the code where I found it was doing an internal web-call to the proxied sub-domain. :man_facepalming:

mystery solved! thanks!

1 Like