Requests for unknown hosts run through security layer

#1

It would appear requests for unknown hosts are still mapped to their respective zone and run through the security layers before being rejected.

I just had the case where requests for previously configured hosts showed up in the firewall log. Considering these hosts do not exist any more I would assume at this point whoever sent the requests cached the IP and connected to it using the, now, outdated hostnames and I would have expected those requests to be rejected straight away without any additional processing steps. Request comes in for an unknown host -> Cloudflare immediately rejects it.

That does not seem to be the case however. These requests still seem to be mapped to their respective zone and run through its security layer configuration (firewall engine, IP access rules, etc.) and show up as entries if there is a match. Should that really be the case? I would believe it shouldnt.

For the record, I opened ticket #1671031 but the response was not all too useful.

0 Likes

#2

It is less expensive and faster to check later in pipeline.

0 Likes

#3

So that behaviour is deliberate then?

0 Likes

#4

Well I haven’t checked, but I assume so. The other options I could see would be to either maintain a list of all hosts in memory or do a lookup. That lookup would be slow/expensive relatively speaking. If you request an object which is cached (for example) we never get around to doing a DNS lookup on the host, we simply return the object from cache.

0 Likes

#5

A list/lookup/whatever of valid hosts would have been my original assumption.

What it seems to do right now is

  1. Extract the zone
  2. Run the request through the zone’s security settings
  3. (Maybe something else)
  4. Check if the requested host is actually valid

My understanding would have been #2 and #4 would be swapped. Thats apparently not the case though and would explain the observed behaviour.

0 Likes