Proxy DNS records
The first - and often easiest - step of DDoS protection is making sure your DNS records are proxied through Cloudflare.
Without Cloudflare, DNS lookups for your application's URL return the IP address of your origin server ↗.
URL | Returned IP address |
---|---|
example.com | 192.0.2.1 |
When using Cloudflare with unproxied DNS records, DNS lookups for unproxied domains or subdomains also return your origin's IP address.
Another way of thinking about this concept is that visitors directly connect with your origin server.
flowchart LR accTitle: Connections without Cloudflare A[Visitor] <-- Connection --> B[Origin server]
With Cloudflare — meaning your domain or subdomain is using proxied DNS records — DNS lookups for your application's URL will resolve to Cloudflare anycast IPs ↗ instead of their original DNS target.
URL | Returned IP address |
---|---|
example.com | 104.16.77.250 |
This means that all requests intended for proxied hostnames will go to Cloudflare first and then be forwarded to your origin server.
flowchart LR accTitle: Connections with Cloudflare A[Visitor] <-- Connection --> B[Cloudflare global network] <-- Connection --> C[Origin server]
Cloudflare assigns specific anycast IPs to your domain dynamically and these IPs may change at any time. This is an expected part of the operation of our anycast network and does not affect the proxy behavior described above.
When your traffic is proxied through Cloudflare, Cloudflare can automatically stop DDoS attacks from ever reaching your application (and your origin server).
Proxied traffic also benefits from the default optimizations of the Cloudflare cache. Cloudflare caches certain types of resources automatically, which both speeds up your application's performance and reduces the overall number of requests.
Proxying your DNS records in Cloudflare also hides the IP address of your origin server (because requests to your application resolve to Cloudflare anycast IP addresses instead).
This obscurity makes it harder for someone to connect directly to your origin, which - by extension - also makes it harder to target your origin with a DDoS attack.
Before proxying your records, you should likely allow Cloudflare IP addresses at your origin to prevent requests from being blocked.
Then, update your Cloudflare DNS records so their Proxy status is Proxied.