IP on Cloudflare nameserver is not masked despite "orange cloud"

Hi, I have created a Cloudflare account and added a website. To make sure this works, I attempted to follow the steps here: dns - How to test CloudFlare without changing your domain's name server - Stack Overflow

However, when I used dig on the Cloudflare nameserver, I found that the IP returned (for the root domain, or any of its subdomains) to be the same as if I used dig on the current nameserver. Furthermore, when I added these IPs to /etc/hosts to check for Cloudflare headers in the HTTP responses, I did not find any. The set up is the same as what we currently have, the server is still nginx.

It seems like Cloudflare is not masking IPs at all, despite me making sure that there’s an “orange cloud” for all subdomains. Does anyone have any insight as to why this is happening?

Hi! Just to confirm. The step where you dig @[name].ns.Cloudflare.com is just because you often have your DNS cached. If it’s been given enough time they should say the same thing anyway. If you’d like to confirm that it is indeed a Cloudflare IP, type that IP directly in to your browser and you should see a Cloudflare error page like this:

Thanks for the reply, @ora! When Typing the IP directly into my browser, it gives me the nginx landing page.

When switching off the orange cloud and changing the IP using the web interface (like below), using dig actually reflects the new change.

However, when switching the orange cloud on, the IP address seems to be the origin server’s IP address.

I apologize for the confusion. I meant to check your dig results to see if they are Cloudflare IPs by navigating to them like this:

@ora sorry about that! Yes, they’re indeed still showing up as nginx. Changing the value using the web interface was to make sure that there wasn’t a caching issue, I wanted to make sure that if I changed that value, that change will be reflected when I use dig.

Currently, I haven’t switched the nameservers on our registrar to point to the Cloudflare ones. When I dig the current domain name, it returns the same IP address as the one returned by Cloudflare’s nameserver. From my understanding, these 2 should be different since Cloudflare should be managing traffic using its own servers.

That’s your problem.

@ora The Stackoverflow link was specifically for double checking before the switch. From my understanding, if a Cloudflare account is created and a website is added, then the Cloudflare nameserver should be mapped to its own servers.

My motivation for checking before switching nameservers is that, because propagation takes up to 24 hours, rolling back will also take some time. I’d like to check that the Cloudflare nameservers are working before taking the plunge.

I understand the need to be careful. That said it’ll be difficult to test whether or not it’s working before you switch it on. Your website will always show as not behind Cloudflare until it is behind Cloudflare.

It’s a bit strange to me that this method of testing the Cloudflare nameserver isn’t available anymore. I guess we’ll be strategic about the switch. :slight_smile: Thanks for your time, @ora!

That doesn’t work any more. Cloudflare has changed Name Server behavior since that post.

And be glad that they did! They finally seem to wait until a SSL certificate is issued before switching the IPs over, such that HTTPS-only sites don’t break for an indefinite period of time waiting for a certificate to be issued.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.