Unnecessary origin IP expose via SRV record
I am posting, because I have noticed a certain problem (?) / feature during SRV records configuration.
When as the value/content of the SRV record I give the domain name that is secured by CloudFlare’s proxy, CloudFlare adds ‘exposed’ equivalent, which is well-defined behaviour according to the documentation.
However, there is one very popular use-case that doesn’t need underlying IP exposure - Outlook Autodiscover (aka. _autodiscover._tcp.domain.pl. 443 SRV record).
Content of the SRV record is only the request’s domain name for email client and in this case CloudFlare’s behaviour only breaks it, because it replaces SRV content destination domain name by auto-generated subdomain pointing to the underlying record’s value.
- autodiscover.domain.pl. → CNAME/A (proxied) → pointing to webserver hosting’s necessary autodiscover file.
- _autodiscover._tcp.domain.pl. 0 0 443, content: autodiscover.domain.pl → original content is replaced by autogenerated _dc-srv.xxxxxxxx.domain.pl, so not only it changes subdomain’s name for the autodiscover request, but exposes origin IP as well.
I’m currently circumventing this problem by configuring the autodiscover’s SRV record content to a subdomain that is in a different domain, so the domains are isolated from each other and CloudFlare doesn’t change anything.
I would be grateful for an answer, is there any possibility to prevent this problem or there is no way to fix it at this point, apart from the tricks of setting the record’s content to another subdomain/domain.