Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Discuss
  3. Is the (Cloudflare) auto-DNS setup secure using "DNS Only", as opposed to "Proxied"

Is the (Cloudflare) auto-DNS setup secure using "DNS Only", as opposed to "Proxied"

Scheduled Pinned Locked Moved Solved Discuss
cloudflarednssecurity
7 Posts 4 Posters 2.4k Views 4 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • marcusquinnM Offline
    marcusquinnM Offline
    marcusquinn
    wrote on last edited by girish
    #1

    "DNS Only" exposes the server IP address.

    Doesn't this make DDOS on the server IP more likely if an attacker bypasses the Cloudflare WAF on the domain to go straight for the server IP?

    Web Design & Development: https://www.evergreen.je
    Technology & Apps: https://www.marcusquinn.com

    1 Reply Last reply
    0
    • girishG Offline
      girishG Offline
      girish
      Staff
      wrote on last edited by girish
      #2

      @marcuswquinn Yes, the default setup is simply to setup the DNS to point to the server IP. One can enable provider specific options like Proxied mode, WAF etc from the Cloudflare's control panel. If you switch to Proxied, Cloudron won't overwrite flag during future DNS operations (there is special code for this)

      The default is chosen for various reasons:

      • Email server does not work with cloudflare proxying since cloudflare will only proxy http. Email server is used a lot on Cloudron.

      • SFTP does not work

      • A typical support request we get is people trying to SSH into the server as ssh root@my.domain.com and then telling us the server is unreachable. We have to then tell them it's because of cloudflare proxying.

      • Many users (of cloudflare) don't understand the implications of proxying i.e all traffic goes via Cloudflare now and Cloudflare can read it. Whether this is a privacy issue or not, is entirely based on whether you trust Cloudflare.

      With this in mind, we decided it's not our decision to make and it's best if customer makes this choice explicitly by themselves instead of us doing this auto-magically. Maybe, we can add an option to turn this on in Cloudron's control panel (if only for convenience)? I am open to other ideas.

      marcusquinnM 1 Reply Last reply
      3
      • girishG girish

        @marcuswquinn Yes, the default setup is simply to setup the DNS to point to the server IP. One can enable provider specific options like Proxied mode, WAF etc from the Cloudflare's control panel. If you switch to Proxied, Cloudron won't overwrite flag during future DNS operations (there is special code for this)

        The default is chosen for various reasons:

        • Email server does not work with cloudflare proxying since cloudflare will only proxy http. Email server is used a lot on Cloudron.

        • SFTP does not work

        • A typical support request we get is people trying to SSH into the server as ssh root@my.domain.com and then telling us the server is unreachable. We have to then tell them it's because of cloudflare proxying.

        • Many users (of cloudflare) don't understand the implications of proxying i.e all traffic goes via Cloudflare now and Cloudflare can read it. Whether this is a privacy issue or not, is entirely based on whether you trust Cloudflare.

        With this in mind, we decided it's not our decision to make and it's best if customer makes this choice explicitly by themselves instead of us doing this auto-magically. Maybe, we can add an option to turn this on in Cloudron's control panel (if only for convenience)? I am open to other ideas.

        marcusquinnM Offline
        marcusquinnM Offline
        marcusquinn
        wrote on last edited by
        #3

        @girish I seeeeee! You've thought all this through before! OK, I learned new things from your explanation.

        Prob one just for the documentations then unless you think a per-App setting would be easy enough? It's only saving going into Cloudflare to delete and re-add the records but then my next research is going to be into https://dnsmadeeasy.com.

        TBH as I think Cloudflare is more a pied-piper following for their good marketing than for the essentials that are often better handled at the host (like Anti-DDoS, for which I do like Hetzner covering on the network level).

        Web Design & Development: https://www.evergreen.je
        Technology & Apps: https://www.marcusquinn.com

        1 Reply Last reply
        1
        • jimcavoliJ Offline
          jimcavoliJ Offline
          jimcavoli
          App Dev
          wrote on last edited by
          #4

          Figured it'd be better to revive this thread than to start a new one at the moment, but given the split of box vs app concerns, and the new addition of being able to separate the mail server from the my subdomain, it seems more likely that the option to check a box for setting up proxied records could be added for the cloudflare dns provider.

          girishG 1 Reply Last reply
          2
          • jimcavoliJ jimcavoli

            Figured it'd be better to revive this thread than to start a new one at the moment, but given the split of box vs app concerns, and the new addition of being able to separate the mail server from the my subdomain, it seems more likely that the option to check a box for setting up proxied records could be added for the cloudflare dns provider.

            girishG Offline
            girishG Offline
            girish
            Staff
            wrote on last edited by
            #5

            @jimcavoli Yes, I think that's a good idea. Can you open a new thread in https://forum.cloudron.io/category/97/feature-requests ?

            mehdiM jimcavoliJ 2 Replies Last reply
            0
            • girishG girish

              @jimcavoli Yes, I think that's a good idea. Can you open a new thread in https://forum.cloudron.io/category/97/feature-requests ?

              mehdiM Offline
              mehdiM Offline
              mehdi
              App Dev
              wrote on last edited by
              #6

              @girish if you guys decide to implement a checkbox for this, I strongly suggest a warning message to warn the users that Cloudflare will be able to read all their traffic.

              1 Reply Last reply
              3
              • girishG girish

                @jimcavoli Yes, I think that's a good idea. Can you open a new thread in https://forum.cloudron.io/category/97/feature-requests ?

                jimcavoliJ Offline
                jimcavoliJ Offline
                jimcavoli
                App Dev
                wrote on last edited by
                #7

                @girish Done - https://forum.cloudron.io/topic/3777/support-optional-cloudflare-proxied-record-creation

                1 Reply Last reply
                1
                Reply
                • Reply as topic
                Log in to reply
                • Oldest to Newest
                • Newest to Oldest
                • Most Votes


                • Login

                • Don't have an account? Register

                • Login or register to search.
                • First post
                  Last post
                0
                • Categories
                • Recent
                • Tags
                • Popular
                • Bookmarks
                • Search