How to hide my server ip from the mx registry and / or others?

My provider has informed me that, by doing a dig, you can see my server’s IP address.
I have accessed the dns area and I see a yellow triangle indicating that; This record exposes the ip address behind the domain.com
I have been suffering a strong attack for 10 or 15 days, and my provider is going to make a change of IP on my server, but before that, I would like to configure cloudflare so that, in no way, no one can know the IP of the server, in this case, MX record.
I don’t know if I should expand the plan or some other step.
Any indication in this regard would be very appreciated.
Thank you very much and greetings!

One of three options

  • You remove the MX record altogether
  • You sign up for a separate email service with a different IP address
  • You purchase Cloudflare’s Enterprise plan, which however is in the four digit range a month

Thanks for your reply.
About the options:

  • Remove MX record altogether…if remove this record, mail continue working? I have VPS and all this records configureds in server.
    -Sign up for a separate mail service with different ip address…is an option but I preferer not (for the cost and I need my server can send mail from same server).
    -Ups… Enterprise plan is out for me, the cost…four digit…impossible… I was think other plan can this option but if only in Enterprise plan…impossible for me…

Thanks and regards,

Of course not. You need an MX record.

If you require emails, you will only be left with an Enterprise plan.

Then you can only pick one of the two others.

Probably the best approach will be simply to use a third party mail service and assign that.

The sending server does not need to be the same as the server holding the MX records.

Cloudflare cannot mask the true IP address of the target of your MX record. If you are using the same IP as the origin in Cloudflare and as your MX server then it will be exposed.

Your server should not accept connections on 80/443 from anywhere except Cloudflare, which reduces the ability of an attacker to get at your origin, except on port 25 which will be open for email.

The best option remains to use a dedicated email service, or hosted email filtering solution.

I go to search info about this, but like indicate, I need the mail, are with my domain, and my site, send mails to users (mails subscriptions, or notifications…) and after this attack, I don’t want my ip server appears in any.
Today, the today attack, is than large and high than, the server can’t stop this attack (I think is a ddos attack) I configure firewall and all but we can’t stop, for this, my server are blocked my site for 24 hours for no “damage” other machines in my server.
They offer change my ip server, but for this, is important for me that, the ip server, not appears in any.

Thanks to all for the replies and my apologies if any doubt that I have raised is very “obvious and / or novice”

In that case the most viable option will be the third party email service.

I’m in contact with my server for purchase another server for use only for mail, then, I have 2 servers, one for website, other for mail server.

That will work too, though keep in mind, while the first address will be completely hidden (if configured properly and if not leaked previously) the second one will still be public and someone can target it. For that reason a classic stand-alone email service might be the better choice as they typically know how to handle that.

Yes, but classic stand-alone email service I think isn’t good for me because, my site is a large site, about 100k users, my site is a forum, and send mail for notifications of new posts…etc…my site can send every hour about 1k mails (some hours at day), this stand-alone email services are limited for send mails.
Yes, I think, the new ip server for website, I can hidden, the ip of mail server I can’t hidden, when my website send an email, the user can view my server ip, but if attack the ip mail server is lower important that if attack a ip website server .
(I don’t know if I’m explained well…) :slight_smile:

Thanks.

Whatever works for you. It really depends on your setup and your requirements. If you have a separate address that will already cover your original request. Just make sure the address of the webserver is not publicly available - and if it is - have that address change as well, as otherwise someone will always be able to go around Cloudflare.

Try Amazon SES.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.