DNS & Webapplication FW

Hello,

we would like to use cloudflare’s CDN as an example for the domain “example.com” and have questions about this:

  1. if we replace our current DNS servers with cloudflare DNS
    servers.
    Will the sub domains in this zone e.g. “api.examle.com” also be handled?

  2. will the requests sent by the customers be modified or filtered by Cloudflare’s firewall?

Explanation: we have a sub domain “api.exaple.com
which receives requests for certificate issuance on port 443 | 389| 636. These requests must not be changed.

thx

Hi there,

To answer your questions:

  1. if we replace our current DNS servers with Cloudflare DNS
    servers. Will the sub domains in this zone e.g. “api.examle.com” also be handled?

Yes, as long as you make sure you have configured your DNS records on Cloudflare dashboard as they were in your previous DNS provider, you are able to manage your DNS (all record types, and all subdomains through Cloudflare). I recommend reading through this guide - Change your nameservers (Full setup) · Cloudflare DNS docs on how you would go about onboarding a zone.

  1. will the requests sent by the customers be modified or filtered by Cloudflare’s firewall?

Any requests that are proxied through Cloudflare will pass through our security features and may be evaluated by our security products - you do have control over this though these features though - and can skip security features if needed - Configure a custom rule with the Skip action · Cloudflare Web Application Firewall (WAF) docs - Cloudflare is a reverse proxy so we do site between the client and your origin server and so there is a change in the request that is unavoidable.

The one problem I see based on your explanation is this:

which receives requests for certificate issuance on port 443 | 389| 636. These requests must not be changed.

Cloudlfare by default is a HTTP/S proxy and we only proxy these ports - Network ports · Cloudflare Fundamentals docs

Ports 389 / 636 are not supported by Cloudflare default and this may be an issue in issuing certificates.

There is a feature called Spectrum which allows you define your own ports and support TCP proxying through Cloudflare - but would require you to move up to Enterprise plan to be able to define your own ports.

The other option is you can have api.example.com not proxied through Cloudflare by changing the DNS record to ‘DNS only / grey-clouded’ and have other hostnames like example.com or www.example.com running through Cloudflare only.

Dear team,

Thank you very much for your detailed answer.
Then we will set all other subdomains or FQDNs that do not work with the http/https protocol to “dns only” and turn off the proxy for them.

Best regards
Mehdi

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.