Unnecessary origin IP expose via SRV record

Unnecessary origin IP expose via SRV record

Hello.
I am posting, because I have noticed a certain problem (?) / feature during SRV records configuration.
When as the value/content of the SRV record I give the domain name that is secured by CloudFlare’s proxy, CloudFlare adds ‘exposed’ equivalent, which is well-defined behaviour according to the documentation.

However, there is one very popular use-case that doesn’t need underlying IP exposure - Outlook Autodiscover (aka. _autodiscover._tcp.domain.pl. 443 SRV record).

Content of the SRV record is only the request’s domain name for email client and in this case CloudFlare’s behaviour only breaks it, because it replaces SRV content destination domain name by auto-generated subdomain pointing to the underlying record’s value.

Example:

  1. autodiscover.domain.pl. → CNAME/A (proxied) → pointing to webserver hosting’s necessary autodiscover file.
  2. _autodiscover._tcp.domain.pl. 0 0 443, content: autodiscover.domain.pl → original content is replaced by autogenerated _dc-srv.xxxxxxxx.domain.pl, so not only it changes subdomain’s name for the autodiscover request, but exposes origin IP as well.

I’m currently circumventing this problem by configuring the autodiscover’s SRV record content to a subdomain that is in a different domain, so the domains are isolated from each other and CloudFlare doesn’t change anything.

I would be grateful for an answer, is there any possibility to prevent this problem or there is no way to fix it at this point, apart from the tricks of setting the record’s content to another subdomain/domain.

Regards.

@MoreHelp

I don’t know how Autodiscover works, but if it’s an HTTPS connection over Port 443, it’d be nice if Cloudflare would detect that and not expose the IP address. You’ll have to open a ticket and see if there’s a way to override this.

Ironically, there was a recent glitch where it wasn’t exposing the Origin IP address. But they fixed it.

To contact Cloudflare Customer Support, login & go to https://dash.cloudflare.com/?account=support and select get more help. If you receive an automatic response that does not help resolve your issue, reply and indicate that you still require assistance. And, please share your ticket number here so that we can track it.

1 Like

Yes, autodiscover works through normal GET/POST HTTP/HTTPS queries on 80/443 ports to xml/json file.
_autodiscover._tcp SRV record value is just the destination hostname (hint for a client) for HTTP request.

I sent a ticket even before I put the post here :slight_smile:
id: #2167568

1 Like

Hi all,

Unfortunately, we can’t know if the record created by someone is intended for HTTP only or for TCP-based traffic. Things would change if _autodiscover would be a well-defined RFC (didn’t check if it is though, yet). The only exception to this that I could imagine is that the destination ports (80/443) are actually defined themselves which we could use to detect such a use case.

Thanks for creating the ticket. According to it, we’ve added it to our feature requests list.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.