Protect your origin server — Enterprise
Receiving too many requests can be bad for your origin. These requests might increase latency for visitors, incur higher costs — particularly for cloud-based machines — and could knock your application offline.
Select a plan to see how Cloudflare can help you protect your origin:
Secure origin connections
When you secure origin connections, it prevents attackers from discovering and overloading your origin server with requests.
- Proxy records (when possible): Set up to hide your origin IP addresses and provide DDoS protection. As part of this, you should at your origin to prevent requests from being blocked.
- Review DNS-only records: Audit existing DNS-only records (
TXT, and more) to make sure they do not contain origin IP information.
- Evaluate mail infrastructure: If possible, do not host a mail service on the same server as the web resource you want to protect, since emails sent to non-existent addresses get bounced back to the attacker and reveal the mail server IP.
- Rotate origin IPs: Once , rotate your origin IPs, as DNS records are in the public domain. Historical records are kept and would contain IP addresses prior to joining Cloudflare.
- Prevent external connections:
Monitor origin health
For passive monitoring, for Origin Error Rate Alerts to receive alerts when your origin returns 5xx codes above a configurable threshold and Passive Origin Monitoring to see when Cloudflare is unable to reach your origin for a few minutes.
Zero Downtime Failover
If you have another A or AAAA record in your Cloudflare DNS or your Cloudflare Load Balancer provides another origin in the same pool, Zero-Downtime Failover automatically retries requests to your origin even before a Load Balancing decision is made.