Cloudflare DNS server ( and rebind protection question

Hi all,

First of all, thanks Cloudflare team for being awesome and make great products! :wink:

As per the tittle, I have a question in regard to rebinding protection with using as upstream DNS server. Is there any official comm from Cloudflare about DNS rebinding protection if we use as main DNS?

I have not seen it anywhere so i can’t be sure but when i perform some tests using my rebinding domain with TTL set to 0 second, I can see Google ( reliably flipping back and forth between internal and external IP but it does not happens with This suggests to me that even though the result returns to the end user that TTL is 0 second, Cloudflare DNS server actually caches the result and does not go back to the DNS server I control to get the new DNS record.


While i’m sure this may break RFC as Cloudflare does not honor my TTL value, i much prefer it as I see little to no reason for TTL to ever be set to 0 second unless for this kind of attack. With that said, while I already switched all my devices/home router to use … I would like to also recommend or use it as part of mitigation for server side issues/vulnerabilities. Can someone from Cloudflare team help confirming this is indeed a feature provided by and will remain forever? :slight_smile:

Many thanks,

Hi @santrancisco :raised_hand:

As you said, there’s no real use of ridiculous low TTL, and our resolver doesn’t honor it. It’s not a feature(not a bug neither), and currently we have no plan to change it.

Happy digging :smiley:

1 Like

Sweet! Thank you for confirming it!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.