DNS Proxy and firewall ingress restriction

We are using DNS proxy for the majority of our DNS records.
I was wondering if we need to restrict to the cloudflare IP address when the traffic hits our firewall.

Ex.
proxy record sitename.com

rule on firewall
source : cloudflare ip addresses
destination : sitename.com
port : ssl
accept

Would we need to do this? Will this improve security?

That would be best. Then attackers won’t be able to bypass Cloudflare and hit your origin directly.

1 Like

In the case of a host that the access is restricted by IP address and the dns record is proxied, would I need to move those restricted IP address to the Cloudflare firewall and set only cloudflare ip address on that host?

Cloudflare firewall (Move IP restricted previously on host).
Local firewall :
source : cloudflare ip address (source)
destination : host

Overkill?

If you mean by DNS proxy that you proxied those records, then yes, you should configure your firewall to only allow requests from Cloudflare. The example you posted earlier should work, assuming you have a rejection policy by default. In that case a connection from every address other than Cloudflare’s would be rejected and only Cloudflare will be able to connect.

Anything regarding banned, regular client IP addresses would then not be configured on an IP level on your server or firewall, but either within your webserver (evaluating the header Cf-Connecting-IP) or - as you mentioned - you set it up on Cloudflare’s side with IP access or firewall rules.

That’s a pretty standard setup actually.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.