Domains that are set to DNS-only are being cached/proxied when they should not be

Hi all,

We’ve recently implemented Cloudflare on our domain for a specific subdomain that receives the bulk of our traffic and sends & receives content from our customers’ systems and their devices (let’s call it storage_example_com). The caching and proxying will be of great benefit to this singular subdomain, but we have other ‘sensitive’ subdomains that must not be cached or proxied by Cloudflare (let’s call them api_example_com and telemetry_example_com)

We’ve noticed the benefits of Cloudflare on storage_example_com already but, unfortunately, since setting it all up and assigning the api_example_com and telemetry_example_com to “DNS only”, we’ve noticed cache statistics and analytics have been generated for these subdomains and traffic has started coming from Cloudflare to these systems. This has directly interfered with our customer’s devices and our ability to respond to them with data they require to function.

We can’t determine exactly how these folks are getting routed through Cloudflare, though - the DNS section on the Cloudflare panel has the A record for both api_example_com and telemetry_example_com set to “DNS-only” and both are assigned to their respective dedicated IPs. Using dig to check the records both returns their correct (direct) IPs, and not any Cloudflare IPs - we’ve checked against our ISP DNS, the Google 8.8.8.8, and the Cloudflare 1.1.1.1.


DNS management panel showing api & telemetry set to ‘DNS only’, storage-beta set to 'Proxied’

Confusingly, it’s not consistent - from all of our development systems and networks, we are not routed through Cloudflare at all (as it should be!). But it seems that some devices (seemingly at random, and mostly from outside the US) are being sent through it without our control.

I filed a Cloudflare support ticket (#2074059) asking how traffic was ending up getting proxied and cached when we expressly set it otherwise, but they only responded as though I was asking for help on implementing proxying and caching on the api_example_com and telemetry_example_com subdomains and didn’t seem to understand that the problem was, in fact, the opposite.

Is there no way to tell Cloudflare to just leave these subdomains alone?

Thank you!

1 Like

It looks like there may have been a period where this record was :orange: when the zone was initially added and while a resolver should respect a DNS record’s TTL they don’t always. It’s uh… a feature of the internet.

You can disable caching for the record to ensure responses aren’t actually being cached using page rules, but there’s not really a way to force a client’s DNS resolver to suck less and refresh a record it should have refreshed already.

2 Likes

Hi cscharff,

Thanks for a reply! I was figuring something like that may have happened, but I was quite careful when setting up the zone to prepare everything as DNS-only prior to my moving the domain’s nameservers to Cloudflare. I suppose something internal to the Cloudflare network could have captured that setting during that time and has propagated out after the nameservers changed?

I’ll set up a page rule to prevent caching for these subdomains in the meanwhile, that’s a great idea - thank you!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.