from what I understand, many people use Cloudflare to hide their hosting server’s IP address.
However, with numerous DNS lookup tools on the web I don’t see how your hosting IP could ever be fully “secret”. As you may know, these DNS lookup tools can provide a detailed history of every change ever made to your domain and DNS settings.
For instance, I registered a new domain via Namecheap just a couple days ago. And for hosting I chose a separate provider elsewhere. During registration the hosting provider gave me its nameserver details and asked for them to be added to my Namecheap domain dashboard.
And of course, that’s when my hosting server’s IP address was already leaked to the Internet. It can now be viewed in the DNS history of aforementioned DNS lookup sites.
Frankly, I guess it also doesn’t help that my host displays my domain IP in its DNS records per default. But I’d assume, for a domain to function you can’t just remove such DNS records, right?
So maybe I’m missing something here, maybe I should have connected my domain to Cloudflare BEFORE associating it with my external hosting service? But then, how would Cloudflare been able to fetch the required DNS records in the first place?
I am sorry if this topic and my questions seem “noob” to you. It wasn’t until recently that I delved into the realms of Internet and domain security.
That will ensure future scanners cannot hit your origin IP and find that it is linked to your domain name.
Alternatively if you have control over the server that hosts the website (i.e. a VPS or dedicated server and not a managed hosting product), you can consider using Cloudflare Tunnel and then block all inbound ports, which will ensure nobody can ever bypass Cloudflare by any means.
Yes, that seems like a good idea. I’ll have to check with my host whether he can provide an IP change after connecting to Cloudflare.
Is this something that – in general – can easily be done by hosting services?
So in essence, there is no way to fully prevent DNS lookup sites from listing your (old) DNS and IP history?
Like let’s say I would switch from my old host to a new one, e. g. Namecheap …
I would choose a Namecheap hosting plan, choose my domain I’d like to connect, and log into cPanel. Then that would already be the moment my IP and DNS details can get leaked to the Internet and fetched by DNS lookup sites, right? So it’s already exposed, even before I connect my page to Cloudflare, isn’t it?
Well, if that’s the way it is, and it can’t be circumvented, then I’ll live with that. It’s not like I intend to run some super secret whistleblowing page.
I was merely wondering what the point of Cloudflare is – in terms of privacy – if your origin server IP and DNS records can never be entirely hidden in the first place. So ultimately, you’re just using it to make it a little harder for those prying eyes, right?
If you start using Cloudflare DNS before you have hosting, your origin IP cannot be exposed unless you elect to publish it by either pausing Cloudflare or setting a record to DNS Only.
“If you start using Cloudflare DNS before you have hosting, your origin IP cannot be exposed (…)”
Thank you. Cool … I didn’t even know that this was possible at all. Thus, please disregard my previous post. I had wrongly assumed it is required to have hosting before starting with Cloudflare.
So let’s see … I currently have a domain with Namecheap including their Namecheap “Premium DNS” feature. Accordingly, the nameservers are:
Your Step 2 is confusing to me. I don’t know what you mean by
Cloudflare doesn’t care about your third-party nameservers. In fact you must remove third-party nameservers at your registrar in order to activate your domain in your Cloudflare account.
Namecheap, not unlike GoDaddy and some other registrars that offer hosting in addition to domain registration lends itself to making things confusing. While people just getting started often use on place to fill many roles, it may help if you think of the functions as being completely separate.
Registrar: The place that handles the registration of your domain name. They also submit your domain’s authoritative nameservers into the parent zone, such as com. in the case of example.com. Web Hosting Provider: The place where you store the content of your website. This party serves requests for your site to visitors. Email Hosting Provider: The place that send and receives user email destined to and from your mailboxes. DNS Provider: The place where you mange the DNS reords that operate your domain. This needs to be the same provider as the one operating the authoritative nameservers you set at your registrar. WAF Provider: The place that handles application security for your website. It is a proxy that sits between your visitors and your website. It often blocks malicious traffic before it reaches your web hosting provider.
Step 2 is to replace the assigned nameservers at your registrar with the pair assigned by Cloudflare when instructed.
There is no step 3. Skip it and move on to your step 4.
1) Add my domain to Cloudflare. 2) Let Cloudflare fetch the DNS Records of my current host. 3) At my domain registrar: Replace the default nameservers with the Cloudflare ones. 4)Terminate my current hosting plan and sign up with a different host. 5) Add the DNS Records from the new host to my Cloudflare setup. 6) Make sure these DNS Records are set to “proxied”, so no IP is leaked.
This way, DNS lookup sites can’t find out what my new origin server IP is, correct?
DNS Only.