Protection against DDoS attacks and SSL certificates for subdomains in DNS partial (CNAME) settings

kusanagi · October 30, 2023, 6:07am

I checked the documentation and community description of the title, but I am not sure about the following items.

(1) Can I use Cloudflare DDoS attack protection on L3/L4 layer and also on HTTPS access with Partial(CNAME) setup domain?
In my research, I found the following statements in the documentation and community.

Partial (CNAME) setup - Cloudflare Docs

DDoS protection for attacks against DNS infrastructure is only available for domains on full setup. Domains on the partial setup are not using Cloudflare authoritative nameservers.

Protect only a subdomain from DDoS - Cloudflare Community

If you for some reason cannot delegate the root domain to Cloudflare, the other option you would have, would be by using a Partial setup:

I have the following questions based on the above statements.

Does the statement “DDoS protection for attacks against DNS infrastructure” mean DDoS attack protection in the path to name resolution at the L3/L4 layer?
I can’t find a clear description of DDoS attack protection for HTTPS access to the web server when using CNAME setup.Please let me know about this.

(2) When using the CNAME setup, will the automatically created Universal SSL certificate be a wildcard for the CNAME registered subdomain or for the naked domain?

I know that in case of DNS Full setup, the Universal SSL certificate that is automatically created is a wildcard SSL certificate for the naked domain (ex. *.example.com). However, if I register only a subdomain with using Cloudflare CNAME setup, I would like to know if it is possible to install an SSL certificate for only the subdomain on Cloudflare. If not, please let me know if there is a way to handle this.

Thank you.

cscharff · October 31, 2023, 12:50am

It means Cloudflare provides DNS DDoS protection for domains using it for authoritative DNS. If DNS is hosted by another server / service Cloudflare cant protect that from a DDoS attack.

When proxied the DDoS protections for HTTPS don’t differ from a full setup.

No. Enable Universal SSL certificates · Cloudflare SSL/TLS docs

kusanagi · October 31, 2023, 9:52am

Hi cscharff.
Thank you for your rapidly support.

I understood about DDoS protection behavior with partial setup.

I’m now reading document about SSL certificate with partial setup.
I will post addtional comment about SSL certificate if I don7T understand that supecification.

Kind regards,

kusanagi · November 1, 2023, 6:23am

I have an addtional question.

I found out below documents related SSL certificates with DNS Partial setup…

Limitations for Universal SSL - CNAME setup - Cloudflare Docs

On a CNAME setup zone, each subdomain has its own Universal SSL certificate and does not require additional features or purchases.

Custom certificates - Cloudflare Docs

If your custom certificate does not cover all of your first-level hostnames, you can enable Universal SSL certificate to cover them.

Do these statements mean that the DNS Partial Setup cannot use the custom certificate feature and can only use universal certificates?

Regards,

system · November 16, 2023, 6:23am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.