How to disable http requests from a subdomain

Hello, I have a subdomain that points to a TCP DNS record

And I would like to know if there is a way to disable http/https requests for this subdomain.

The reason is that I have an application in TCP (game server) and a webserver in http and I wanted to disable access to this webserver without preventing access in TCP.

If you want to tell browsers that HTTP/HTTPS isn’t available at a domain, there is a way: null HTTPS records. They’re currently an Internet Draft, but Cloudflare supports the latest draft already and it is relatively unlikely to change between now and release.

Add an HTTPS record, then set the “name” to the subdomain you want it to apply to, set the priority to 0, and set the value to a period (“.”). Most browsers support this already, but since it is still in development they disable it by default. And you can’t stop them from trying to connect anyway, of course. But it’s the closest you’ll get.


By the way, word of advice: if you aren’t requiring authentication to access something, it’s public. Do not rely on people not knowing about it. That goes for your (Minecraft?) game server as well: if you don’t want literally anyone in the world on it, set some form of player allowlist or something.

If you don’t want everyone to access your webserver, use HTTP client certificates or something. And always use encryption.


Also, if this is a Minecraft server like your username suggests, make sure you set an SRV record. Minecraft clients use it to figure out where to connect. I’d also recommend setting the port to a random number between 1024 and 49151 that isn’t assigned on this list, just on principle. Minecraft’s default port number of 25565 isn’t actually assigned to Minecraft. Don’t worry about keeping track of whatever you chose: put the port in the SRV record and Minecraft will connect to it automatically.

I happen to run a server for my brother, and I use this record for it:

_minecraft._tcp.indigo.saklad5.com. 86400 IN SRV 1 0 12147 shavano.saklad5.com

I explicitly say there isn’t a webserver at that target (which happens to be a port-forwarding router, because IPv4 addresses are expensive) with this record:

shavano.saklad5.com.      300  IN HTTPS 0 .

This means “The Minecraft server at <indigo.saklad5.com> may be accessed on TCP port 12147 of <shavano.saklad5.com>. <shavano.saklad5.com> does not have an HTTP/HTTPS server.”

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.