I have API which my internal servers connect with secure websocket connection (proxied through cloudflare). I noticed that I get multiple websocket closes (code 1006) in last days. I don’t really have a need to proxy the wss connection through cloudflare so I was thinking could I create subdomain which connects directly to the API without any ddos protection of cloudflare? I am mostly worried that people would find the subdomain which would reveal the API servers origin ip.
Cloudflare doesn’t support DNS zone transfers so there should be no way for someone to find a secret subdomain, assuming it’s a very long randomly-generated string.
What you should still do is set up the firewall on your server to only accept connections from Cloudflare IPs and then also allow traffic from the IP addresses/IP range of your internal servers, so even if someone brute forces and finds the subdomain the traffic will be blocked.