SRV exposes origin IP. How to fix in DNS tab?

Hi,
I have changed my nameservers to Cloudflare’s successfully. On the DNS tab, there is a note at the top that reads, " A few more steps are required to complete your setup. Make sure all A, AAAA, and CNAME records pointing to proxied records are also proxied to avoid exposing your origin IP." This note seems somewhat ambiguous and circular and I don’t know what to do with it (ie …records pointing to proxied records are also proxied??? How do I know if they are “also proxied”? I have most of the Proxy Status entries Proxied, but not sure what else needs to be proxied. The DNS only ones don’t give an option to proxy (including the SRV one…see next paragraph)).

In the DNS management table, there is a SRV type with various settings when I expand the line. It has an orange triangle with an exclamation point in it that when I hover, it says “This record exposes your origin IP.” I have no idea how to fix this, or even what to search for in order to find the solution. I found all kinds of things that got me more confused than I was when I started.

I want to be sure everything is set up properly, but I am new enough to all of this that I feel like a fish out of water…on the sand…in the desert…on Mars.
Thanks for any help!
Jon

2 Likes

If you’re running something other than a website on your server, you have to expose the Origin IP address because Cloudflare only proxies HTTP/S.

*Unless you’re using the Spectrum Service which is either an Enterprise feature, or you’ve enabled it for SSH or Minecraft.

1 Like

Hey @sdayman
Yes, I’m getting my email through my host as well (dreamhost). Is there anything to be done to protect? I am also running the free version of WordFence plugin on my wordpress site. That might help.

You’re certainly better off now, but a determined attacker will find out your origin IP address and try to attack the IP address directly instead of using the hostname that would go through Cloudflare.

It’s good that you’re running Wordfence, and my feeling is that someone attacking your IP address directly becomes DreamHost’s problem to stop a DDOS. Though they might null-route your server (so nobody can reach the website), or threaten to kick you out. But all that is only if you have the rare misfortune of being attacked directly at the origin.

Glad it sounds like it’s not too likely. Plus my site is only for a small local business (counseling) and will get very low traffic . . . nothing sold on the site…it’s just information on my practice.

1 Like

Cloudflare only proxy https, if you have for example mail server or other service you musn’t enable “cloud” proxy for this record. If your SRV record doesn’t clean for you you can post it.

HI - similarly one of my DNS Only records (SRV) is exposing my IP and I don’t know how to fix it.

I’ve flagged my original response as the Solution.

This topic was automatically closed after 31 days. New replies are no longer allowed.