Protect origin IP address
2 min read
To prevent attackers from discovering your origin’s IP address, review the following suggestions.
Rotate IP addresses
DNS records are in the public domain, meaning that - even though your IP addresses are hidden once you proxy your DNS records - someone could uncover historical records of your addresses.
Review unproxied DNS records
Unproxied DNS records - also known as DNS-only records - can sometimes contain origin IP information, especially those used for FTP or SSH.
Conceal unproxied DNS records
If you need to have DNS-only records that contain origin IP information, use non-standard names for these records. This action makes dictionary scans of your DNS less likely to expose your origin IP address.
For example, instead of
ftp.example.com, you could use
Evaluate mail infrastructure
If possible, do not host a mail service on the same server as the web resource you want to protect, since emails sent to non-existent addresses get bounced back to the attacker and reveal the mail server IP address.
Cloudflare recommends using non-contiguous IPs from different IP ranges.