Dear Cloudflare users,
from what I understand, many people use Cloudflare to hide their hosting server’s IP address.
However, with numerous DNS lookup tools on the web I don’t see how your hosting IP could ever be fully “secret”. As you may know, these DNS lookup tools can provide a detailed history of every change ever made to your domain and DNS settings.
For instance, I registered a new domain via Namecheap just a couple days ago. And for hosting I chose a separate provider elsewhere. During registration the hosting provider gave me its nameserver details and asked for them to be added to my Namecheap domain dashboard.
And of course, that’s when my hosting server’s IP address was already leaked to the Internet. It can now be viewed in the DNS history of aforementioned DNS lookup sites.
Frankly, I guess it also doesn’t help that my host displays my domain IP in its DNS records per default. But I’d assume, for a domain to function you can’t just remove such DNS records, right?
So maybe I’m missing something here, maybe I should have connected my domain to Cloudflare BEFORE associating it with my external hosting service? But then, how would Cloudflare been able to fetch the required DNS records in the first place?
I am sorry if this topic and my questions seem “noob” to you. It wasn’t until recently that I delved into the realms of Internet and domain security.
Thank you in advance.
To fully hide your origin IP, it is recommended to:
- Change/rotate the IP address after adding the domain to Cloudflare
- Protect your origin server, specifically Allow Cloudflare IPs and Authenticated Origin Pulls
That will ensure future scanners cannot hit your origin IP and find that it is linked to your domain name.
Alternatively if you have control over the server that hosts the website (i.e. a VPS or dedicated server and not a managed hosting product), you can consider using Cloudflare Tunnel and then block all inbound ports, which will ensure nobody can ever bypass Cloudflare by any means.
thank you for your fast response.
Yes, that seems like a good idea. I’ll have to check with my host whether he can provide an IP change after connecting to Cloudflare.
Is this something that – in general – can easily be done by hosting services?
No. It typically will involve migrating your site to a new server.
It won’t, but I find it preferable to add only the records I need.
Thank you for your answer.
So in essence, there is no way to fully prevent DNS lookup sites from listing your (old) DNS and IP history?
Like let’s say I would switch from my old host to a new one, e. g. Namecheap …
I would choose a Namecheap hosting plan, choose my domain I’d like to connect, and log into cPanel. Then that would already be the moment my IP and DNS details can get leaked to the Internet and fetched by DNS lookup sites, right? So it’s already exposed, even before I connect my page to Cloudflare, isn’t it?
Well, if that’s the way it is, and it can’t be circumvented, then I’ll live with that. It’s not like I intend to run some super secret whistleblowing page.
I was merely wondering what the point of Cloudflare is – in terms of privacy – if your origin server IP and DNS records can never be entirely hidden in the first place. So ultimately, you’re just using it to make it a little harder for those prying eyes, right?
If you start using Cloudflare DNS before you have hosting, your origin IP cannot be exposed unless you elect to publish it by either pausing Cloudflare or setting a record to DNS Only.
“If you start using Cloudflare DNS before you have hosting, your origin IP cannot be exposed (…)”
Thank you. Cool … I didn’t even know that this was possible at all. Thus, please disregard my previous post. I had wrongly assumed it is required to have hosting before starting with Cloudflare.
So let’s see … I currently have a domain with Namecheap including their Namecheap “Premium DNS” feature. Accordingly, the nameservers are:
So what would be the next steps? I assume I would have to …
1) Add my domain as a Cloudflare zone
2) Let Cloudflare fetch the Namecheap nameservers specified above (or add them manually),
and do …
3) what exactly??
I’d guess that step 4) would be signing up for a hosting plan with whatever company I see fit.
5) Add the DNS Records (A, CNAME etc.) to Cloudflare once they have been created by my new hosting provider.
Would that be the correct way to prevent the new server IP from being exposed?
Thank you very much!
Your Step 2 is confusing to me. I don’t know what you mean by
Cloudflare doesn’t care about your third-party nameservers. In fact you must remove third-party nameservers at your registrar in order to activate your domain in your Cloudflare account.
Namecheap, not unlike GoDaddy and some other registrars that offer hosting in addition to domain registration lends itself to making things confusing. While people just getting started often use on place to fill many roles, it may help if you think of the functions as being completely separate.
Registrar: The place that handles the registration of your domain name. They also submit your domain’s authoritative nameservers into the parent zone, such as
com. in the case of
Web Hosting Provider: The place where you store the content of your website. This party serves requests for your site to visitors.
Email Hosting Provider: The place that send and receives user email destined to and from your mailboxes.
DNS Provider: The place where you mange the DNS reords that operate your domain. This needs to be the same provider as the one operating the authoritative nameservers you set at your registrar.
WAF Provider: The place that handles application security for your website. It is a proxy that sits between your visitors and your website. It often blocks malicious traffic before it reaches your web hosting provider.
Step 2 is to replace the assigned nameservers at your registrar with the pair assigned by Cloudflare when instructed.
There is no step 3. Skip it and move on to your step 4.
Thank you for clarifying, epic.network!
So I’ll have to do the following now:
1) Add my domain to Cloudflare.
2) Let Cloudflare fetch the DNS Records of my current host.
3) At my domain registrar: Replace the default nameservers with the Cloudflare ones.
4) Terminate my current hosting plan and sign up with a different host.
5) Add the DNS Records from the new host to my Cloudflare setup.
6) Make sure these DNS Records are set to “proxied”, so no IP is leaked.
This way, DNS lookup sites can’t find out what my new origin server IP is, correct?
Have a nice day.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.