Exposed IP addresses
dig query against your proxied apex domain returns a Cloudflare IP address. This way, your origin server’s IP address remains concealed from the public. Remember that orange cloud benefits only apply to HTTP traffic.
Under certain circumstances, the DNS Records panel in the Cloudflare dashboard DNS app displays a warning whenever you have DNS-only records that may expose your origin server’s IP address. This warning does not block, or in any way affect, traffic destined to your site.
When your server’s IP address is exposed, your server is more vulnerable to direct attacks. It is still possible (but more difficult) for attackers to determine your origin server IP address when proxying traffic to Cloudflare.
Below are two cases where you might receive an IP exposure warning from Cloudflare.
DNS records that should be proxied
If you receive the following warning:
This record is exposing your origin server’s IP address. To hide your origin IP address, and increase your server security, click on the grey cloud to change it to orange.
To take advantage of Cloudflare’s performance and security benefits, we recommend you proxy DNS records that handle HTTP traffic, including
DNS records that should be DNS-only
When you have a DNS-only
MX record pointing to the same origin server hosting your site, Cloudflare displays one of the following warnings:
An A, AAAA, CNAME, or MX record is pointed to your origin server exposing your origin IP.
This record is exposing your origin server’s IP address, potentially exposing it to denial of service.
dig query against these records reveals your origin server’s IP address. This information makes it easier for potential attackers to target your origin server directly.
However, there are times when some of your DNS records need to remain DNS-only. For example, you may have to host multiple services (for example, a website and email) on the same physical server.
To mitigate this risk, we recommend that you:
- Analyze the impact of hosting multiple services on the same origin server in cases when you cannot avoid having DNS-only records.
- Proxy all records that share the same origin IP address as your apex domain and can be safely proxied through Cloudflare.