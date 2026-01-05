Random hostnames
If you use a partial (CNAME) zone setup, you may see hundreds of random hostnames in your HTTP request logs despite only proxying a few DNS records. This is caused by Host header manipulation attacks, not a bug in Cloudflare logging.
Attackers use a technique called Host header injection:
- They discover the Cloudflare IP addresses serving your proxied hostname (for example, via DNS lookup of a known proxied subdomain).
- They send HTTP requests directly to those IPs with forged
Hostheaders containing random subdomain guesses.
- Cloudflare logs the
Hostheader value as-is in the
ClientRequestHostfield.
- The requests reach Cloudflare because they target valid Cloudflare IPs — but the attacker controls the
Hostheader content.
The
http.host field contains the
Host header from the original request, which means attacker-controlled values appear in your logs.
With partial (CNAME) zones:
- Only specific hostnames point to Cloudflare via CNAME at your authoritative DNS provider.
- Cloudflare does not control the full zone, so it cannot validate that incoming
Hostheaders match configured records.
- Attackers can enumerate subdomains by sending requests to known-good IPs with guessed
Hostheaders.
|Indicator
|What to look for
|Request count distribution
|Legitimate hostnames have thousands of requests. Suspicious hostnames have exactly two to five requests each.
|Hostname patterns
|Sequential numbers (
0-0,
0-56,
007), common words (
admin,
api,
test,
staging), or internal service names (
airflow,
consul,
prometheus).
|Source IPs
|Suspicious requests often come from a small set of IPs (scanner infrastructure).
|Response codes
|Many 4xx responses (hostname not found, SSL mismatch).
|DNS correlation
|Suspicious hostnames do not appear in DNS query logs.
Create a WAF custom rule that only allows requests with valid
Host headers:
Yes. If you prefer cleaner logs without blocking traffic:
- At Logpush level — Filter the job to include only known-good hostnames using Logpush filters.
- At SIEM level — Filter or exclude hostnames with request counts below a threshold during log analysis.
Possibly, if the
Host header happens to match a configured hostname or if you have a default or catch-all origin. Check
EdgeResponseStatus and
OriginResponseStatus to see if origins were contacted.
The risk is low to moderate. The main concerns are:
- Information disclosure if error pages reveal internal details.
- Resource consumption if requests reach your origin.
- Log noise that makes real attacks harder to identify.
Automated scanners typically send one to two requests per subdomain guess — one initial probe and possibly one retry. This uniform distribution is a reliable indicator of scanning activity.
After implementing a WAF rule:
- Check Firewall Events for blocked requests matching your rule.
- Compare log volume before and after — suspicious hostnames should disappear.
- Verify legitimate traffic is unaffected by checking request counts for real hostnames.
