Ddos protection for subdomain - direct traffic vs cname redirection traffic

If a domain is hosted on Cloudflare and an application runs on a subdomain, all traffic to this application will be ddos protected. For ddos protection to work does it matter if the traffic is sent directly to this subdomain or via another domain pointing to this subdomain ?

Is it that the traffic sent directly to this subdomain will be ddos protected and the traffic that would come in via cname redirection to this subdomain will not be ddos protected ?

Putting an :orange: on a hostname is the shield.

If I CNAME my :orange: sub.example.com to somewhere.domain.com that doesn’t have Cloudflare protection, my :orange: CNAME shields that connection.

If I CNAME my :grey: sub.example.com to an :orange: somewhere.domain.com, <-- that hostname is shielded.

You can verify this by doing an IP address lookup for a hostname. If it returns Cloudflare IP addresses (typically 104.xxx or 172.xxx), it’s shielded. Pro-Tip: an :orange: CNAME appears as an “A” record with those Cloudflare IP addresses.

In your reply you say :orange: sub.example.com to somewhere.domain.com that doesn’t have Cloudflare protection, my :orange: CNAME shields that connection.

What I want to know is that if traffic originates from

abc.com -> :orange: sub.example.com -> somewhere.domain.com


xyz.com -> :orange: sub.example.com -> somewhere.domain.com

will somewhere.domain.com still be ddos protected ?

No. If someone bypasses sub.example.com and directly attacks somewhere.domain.com, it’s not shielded.

But as I said, your abc and xyz are set to :orange: and will appear as an “A” record that will not reveal the CNAME connection.

If abc.com or xyz.com are attacked, somewhere.domain.com is ddos protected because :orange: sub.example.com is shielded by Cloudflare, correct ?

I understand that if somewhere.domain.com is directly attacked then Cloudflare won’t be able to help because it has been bypassed.

To add, abc.com and xyz.com will not have their DNS on Cloudflare

Can you please confirm if what I wrote in my last reply was correct. My next question is based on whether this statement is correct or not.

This is all getting a bit confusing.

Cloudflare provide DDOS protection when the IP address used for a hostname is on the Cloudflare network. This is generally when the DNS is hosted by Cloudflare or using a CNAME setup, and the hostname is :orange:.

If example.net is on Cloudflare and is :orange:, it is able to avail of all Cloudflare features. This is the usual setup.

If example.com is not on Cloudflare, but CNAMEs to an :orange: Cloudflare hostname, it will not work at all, as Cloudflare will not return any response for a hostname it does not know about. CNAMEs happen at a DNS level, they do not change the HTTP host header.

So if abc and xyz are CNAMEs of an :orange: hostname, and there is no other configuration in Cloudflare for abc/xyz, they will not work.

Any hostname that resolves to an IP address not on Cloudflares network gets no protection.

(There are some exceptions here, such as SSL for SaaS, and cross account CNAMEs).

1 Like

Thank you for this clarification. So in order to make abc.com and xyz.com successfully CNAME to a Cloudflare protected host name it’s important that Cloudflare knows about these domains. And one way to do this is SSL for SaaS which will generate a certificate for these domains and put them on Cloudflare so that an incoming request can be allowed through by Cloudflare.

My followup to the above statement is - given that the SSL for SaaS pricing is not something we can afford till we hit a certain number of paying customers, is there a way that we can ourself manage SSL certification creation and deployment to both our servers and Cloudflare. I do know that it would be a little difficult process to manage on our side, but is it possible to do ? Later when our numbers work out for us we can shift to SSL for SaaS.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.