Hello CloudFlare Community.
We currently leverage the Load Balancer capability and have 1 use case to help obfuscate our IP addresses.
CAVEAT: This is for a gaming service and we proxy connections directly to our IPs. Thus, we can not use the cloudflare PROXY infrastructure, as it needs to support 2 custom ports and connections. So we CURRENTLY LEVERAGE THE GRAY CLOUD for this use case.
ISSUE: We want to avoid domain resolution in our node pools nslookup domain.com to resolve all IPS from origin. This is to avoid an attacker getting a list of all our IP addresses. How could we address this?
1 IDEA: I noticed cloudflare doesn’t resolve the DNS request if the origin is not coming from the specified regional setting (i.e., if you have a pool with regional coordinates in Brazil and another with regional coordinates in the US, if you do an NSLOOKUP from brazil you won’t be able to resolve the IPs from the US.
Thus, we could set up multiple regions, if an attacker resolves it, they would only resolve the couple of proxies in that region. The PROBLEM with this is distribution, we would not be able to distribute traffic well.
Are there other alternatives?
GOAL: I don’t want to expose all my IPS in my load balancer when an attacker does an nslookup domain.com. I want to obfuscate the DNS request.
Thanks in advance!