Does paid plan solves "CNAME Cross-User Banned" issue?

Hi there.

I’m getting a “CNAME Cross-User Banned” error from my website.

Basically, I’m trying to configure ‘example.com’ to point ‘cdn.mydomain.com’ with CNAME, and configure ‘cdn.mydomain.com’ to point 1.2.3.4 with Cloudflare Proxy enabled (CDN).

I saw that this is initially blocked by Cloudflare due to the policy, but also heard that there’s a way to solve this if you are on a paid plan (Pro, Business).

I just want to confirm that is that true.

Also, what is the flow to solve the issue after I get the paid plan? Is there a UI or menu for enabling the feature? Or should I contact support to do it specifically?

This is also an important point for me, cause I’m planning to configure various domains to point my CDN domain with CNAME. The source domain will be quite random, due to my service’s requirements. Those will be our client’s domains.

I already made a ticket too, but the bot guided me to create a community thread first with the ticket id 2395368.

I’ll look forward to the reply!

Thank you very much.

Hi there!

This limitation is for security reasons and upgrading to a paid plan will not remove it.

However, since you control the CNAME target, you should take a look at SSL for SaaS which will let you do this.

https://developers.cloudflare.com/ssl/ssl-for-saas/

1 Like

Hi @kycfeel

The security concern that albert said above is because Cloudflare will internally follow CNAME to an IP even across domains but to prevent leaking the origin IP from other Cloudflare accounts this CNAME Cross-User Ban exists.

Like, CNAME www.example.com >> CNAME www.mydomain.com >> A mydomain.com 1.2.3.4 will mean that www.example.com is effectively 1.2.3.4 internally when Cloudflare is trying to serve the requests*. You can try this for yourself with 2 domains in the same account, if you switch off the proxy for CNAME www.example.com then it will leak the IP from mydomain.com, or if you have the :orange: proxy on for www.example.com do a sub-request from a Worker then it will hit the origin for mydomain.com.

I hope that context makes sense for why the CNAME Cross-User Ban exists.

If you have the budget for Cloudflare Enterprise and/or SSL for SaaS then go for it as albert recommended but if not then the solution is simple, just think about the chain in which Cloudflare will follow the CNAME internally and break the process so that requests to customerCFaccount.com will not be able to follow internally to cdn.myCFaccount.com so you don’t get this CNAME Cross-User Ban error, instead the requests will go back through the front-door of Cloudflare.

It will work across domains in the same account and also work for domains in your customers Cloudflare account to a domain on your Cloudflare account.

Just a caution with doing this in that it may or may not work into the future. I reported this as a bug to the Cloudflare Public Bug Bounty program a month ago but they have yet to respond or even acknowledge the issue. It may not be a bug but rather an inability to implement their own pricing features in practice since what I described above allows you to get some Enterprise plan features on a Free plan account.

I’ve read this a few times, and it does not make sense. Are you saying that I can send requests to Cloudflare for www.mydomain.com, and have those requests sent to the Origin server configured on another account?

If you break the chain which Cloudflare follows CNAME to IP then it won’t be directly to the IP but instead proxied through Cloudflare from a domain on one account to a domain on another account to their origin IP. It doesn’t expose the IP, but it gets around the Error 1014 CNAME Cross-User Ban policy. Doesn’t require Cloudflare Enterprise or SSL for SaaS, just a simple free account on both ends will work.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.