Is there a way to bypass DNS proxy for specific hostnames?

Wondering if there is a way to use a rule or filter to bypass DNS proxy for a specific hostname or hostname range? Specifically, so that traffic from the provided hostname(s) can see the actual / real IP addresses for a site rather than the proxied addresses.

Oh…from hostnames. No. If they’re using the same DNS that everybody else uses, they’ll get the proxied IP address. They’d have to modify DNS at their end with origin IP addresses.

1 Like

Using a host file or split brain DNS yes.

Why would you want to do that though out of curiosity.

I was thinking if there was a way I could allow Lets Encrypt through the proxy, then those SSL certificates would be able to auto-renew. Right now I have to just keep track of when an SSL is about to expire, and then turn off Cloudflare DNS proxy the day of, manually force renewal of the certificate, then when it goes through, turn proxy back on.

How much control do you have over the Let’s Encrypt process do you have?

Or you can just install a Cloudflare Origin cert and be done with it for 15 years (or less…it’s up to you).

The process is pretty automated right now, with the hosting provider. Which is why I’m running into issues. I can’t install the certificate myself.

I want an additional SSL underneath Cloudflare’s so that if Cloudflare goes down or is not run on a user’s browser that they will still get a secure connection.

It sounds like you’re stuck with your current routine unless the host makes some changes. I believe they usually rely on DNS validation, which fails if they don’t control your domain’s DNS.

That’s unfortunate. Many hosts do allow for this. It’s generally available in cPanel. And if there’s concern about the extremely rare chance of Cloudflare going down, your disaster plan would have to include Name Server changes that can take up to 48 hours, in which case you’d have enough time to switch your hosting SSL over to Let’s Encrypt.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.