We’ve recently implemented Cloudflare on our domain for a specific subdomain that receives the bulk of our traffic and sends & receives content from our customers’ systems and their devices (let’s call it storage_example_com). The caching and proxying will be of great benefit to this singular subdomain, but we have other ‘sensitive’ subdomains that must not be cached or proxied by Cloudflare (let’s call them api_example_com and telemetry_example_com)
We’ve noticed the benefits of Cloudflare on storage_example_com already but, unfortunately, since setting it all up and assigning the api_example_com and telemetry_example_com to “DNS only”, we’ve noticed cache statistics and analytics have been generated for these subdomains and traffic has started coming from Cloudflare to these systems. This has directly interfered with our customer’s devices and our ability to respond to them with data they require to function.
We can’t determine exactly how these folks are getting routed through Cloudflare, though - the DNS section on the Cloudflare panel has the A record for both api_example_com and telemetry_example_com set to “DNS-only” and both are assigned to their respective dedicated IPs. Using dig to check the records both returns their correct (direct) IPs, and not any Cloudflare IPs - we’ve checked against our ISP DNS, the Google 22.214.171.124, and the Cloudflare 126.96.36.199.
DNS management panel showing api & telemetry set to ‘DNS only’, storage-beta set to 'Proxied’
Confusingly, it’s not consistent - from all of our development systems and networks, we are not routed through Cloudflare at all (as it should be!). But it seems that some devices (seemingly at random, and mostly from outside the US) are being sent through it without our control.
I filed a Cloudflare support ticket (#2074059) asking how traffic was ending up getting proxied and cached when we expressly set it otherwise, but they only responded as though I was asking for help on implementing proxying and caching on the api_example_com and telemetry_example_com subdomains and didn’t seem to understand that the problem was, in fact, the opposite.
Is there no way to tell Cloudflare to just leave these subdomains alone?