How do I protect my subdomain with Cloudflare?

Ok so I “own” (manage) this domain (! I’ve recently added a firewall rule(s) ( that blocks or challenges countries with the highest hacking rate) but the subdomain ( is NOT protected by the firewall rule(s) (as I had put the allowance for IP’s, including mine, lower than the block, and did not get challenged, despite being from a country set to challenge requests)! This made me assume that the subdomain is NOT protected by the firewall rule(s)! So how do I protect it? The firewall rule(s) was were/are mainly made to protect the subdomain from hacking from countries that commonly have hacking!

The expression for the challenge is as follows

( eq "TW") or ( eq "TR") or ( eq "BR") or ( eq "IN") or ( eq "US") or ( eq "RO") or ( eq "IT") or ( eq "HU")

The expression for the block is as follows

( eq "RU") or ( eq "CN") or ( eq "UA")

Please note: The block on Ukraine (UA) is temporary and is for security reasons only!

Again, how do I protect the subdomain (which again is!

Do I need to add as a DNS record (and then proxy it through Cloudflare)?

Please note that I “own” this domain with @Neeraj_1 but I am the one who put the block/challenge in place!

Yep. Cloudflare can only action traffic that has a proxied record.

1 Like

So add as a proxied record? (but of what type)?


Depends entirely on what’s behind it - if your hosting provider gives you an IPv4 address then A, IPv6 then AAAA or a domain name then CNAME.

How long will it take for it to start protecting the subdomain?

From minutes to the usual 48/72 hours of DNS propagation.

1 Like

So it usually takes 2 or 3 days (but can take only a few minutes)?

Yeah. It’s outside of yours or Cloudflare’s control. It also depends on how the record was setup before…

I’m gonna say it’s usually way less than 48h, but it might take up to 48/72hrs.

Ok, but once it applies, allowed, challenged, and blocked requests from the subdomain will be logged?

Of course, everything within the bounds and limits of the selected plan. To note, it will apply at different times to different people, most will get it in minutes, some random cache might still serve stale records for a while longer.

1 Like

Was just noticing that this setup for protecting the community subdomain makes no sense…

Yeah, I think it’s screwing it up (slowing it down, making it almost unreachable)!

As a result, I have deproxied the record and will see if that fixes the issue!

You have no record for at the moment. Add one and proxy that :slight_smile:

Proxying a domain shouldn’t make it slower at all?

Added an A record, how long until the DNS_PROBE_FINSHED_NXDOMAIN error is gone?


■■■■, did I make a mistake changing it from a CNAME to an A record?

It depends on how you are setting things up, if an A record is required (as I suspect) a CNAME will never work.

So if I screwed something up by changing it, it’ll return a CF branded error?

And can there be multiple proxied A records?