The post Whitelist Cloudflare IP addresses appeared first on Server Gigabit Guide.

The Cloudflare Dashboard manages account and domain settings. Key dashboard features include:

• Control Cloudflare features,
• Gain insights into domain security and caching analytics
• Share account access to additional users, and
• Configure settings from any device via our flexible dashboard design.

All Cloudflare plans allow sharing account access with additional users. Additionally, Enterprise plans allow Administrators to create Multi-User accounts. It is allow each of the user to edit only those Cloudflare settings applicable to their role.

The Cloudflare dashboard requires a web browser that supports TLS 1.2 or newer. The Cloudflare dashboard isn’t supported on pre IE 10 browser versions.

The Cloudflare dashboard contains several apps focused on optimizing security, improving performance, enhancing site reliability, and providing data insights. The information below summarizes the utility of each dashboard app:

Provides the following functionalities:

• Summarizes site analytics
• Displays notifications
• Links to common quick actions
• Summarizes plan extensions and add-on features
• Provides API authentication details, including Zone ID and Account ID
• Allows changing domain plans
• Allows removing a site from Cloudflare

Monitor statistics and trends on:

• Visitor traffic
• DNS request handling
• Threat detection
• Performance

• Manage a domain’s DNS records
• Select which A or CNAME records to proxy to Cloudflare
• Find the Cloudflare nameservers assigned to your domain

• Protect all TCP/UDP ports from layer 3 and 4 Denial-of-Service attacks
• Stop traffic snooping by enabling TLS encryption for TCP services

• Manage Cloudflare’s SSL certific ate products
• Adjust browser supportability by modifying TLS and encryption settings
• Redirect all HTTP requests to secure HTTPS

• Block or allow traffic based on IP address, IP range, country, or user agent
• Set rate limits and restrict specific URL access to specific IPs
• Adjust OWASP and WAF Rule settings
• Evaluate visitor’s HTTP headers for threats

• Eliminate VPNs without requiring changes at your origin
• Protect internal resources by requiring authentication
• Control which users and groups have access to sensitive resources
• Review access logs

• Improve load time on mobile devices that use slow networks
• Compress images to accelerate page load
• Accelerate site speed by minifying the size of your origin source code
• Defer loading JavaScript until after your site is render

• Adjust caching level
• Purge cached files from all Cloudflare data centers
• Tell Cloudflare what to cache and set browser cache expiration

• Run JavaScript applications in a serverless execution environment
• Scale applications without spending effort on infrastructure or operations
• Build granular control into requests and responses

• Provides granular control for many Cloudflare settings based on a matching URL
• Cache static HTML

• Toggle features that enhance network performance such as HTTP/2 and QUIC.

• Reduce latency and connection errors
• Protect origin web servers from IP address exposure and attack
• Balance traffic and prevent disruptions

• Encode, store, and deliver your videos
• Automatically optimize format and bitrate for every device and network

• Create custom error pages for IP blocks, WAF blocks, HTTP 5XX errors, Cloudflare HTTP 1XXX errors, and more

• Preview and install a wide range of apps that enhance your site’s security, performance, analytics, design, etc.

• Protect sensitive information from spammers and bots
• Obfuscate email addresses to prevent bot scrapping
• Prevent image hotlink abuse from unapproved sites

The post What is Cloudflare Dashboard ? appeared first on Server Gigabit Guide.

1. Visit https://dash.cloudflare.com/sign-up to sign-up.
2. Enter your Email address and Password.
3. Click Create Account. Use an email alias or distribution list. For example, cloudflare@example.com. So, billing and service-relate email notifications are sent to this email address.
4. The Cloudflare UI will asks you to add a site to Cloudflare.

If you add a new domain while in the workflow of creating a new account,  skip to step 3 below.

1. Log in to your Cloudflare account.
2. Click on Add site from the top navigation bar.
3. Enter your website’s root domain and then click Add Site. For example, if your website is www.example.com, type example.com.
4. Cloudflare attempts to automatically identify your DNS records. This process takes approximately 60 seconds to complete.
5. Click Next.
6. Select a plan level and click Confirm plan.
7. Click Confirm in the Confirm Plan window that appears.
8. Review whether all DNS records were identify in the DNS query results window.
   • Manually add missing DNS records.
   • Decide which subdomains enable Cloudflare security and performance features   or bypass Cloudflare .

Some records, like MX, cannot proxy through Cloudflare and don’t display a Cloud icon.

9. Click Continue.
10. Copy the 2 Cloudflare nameservers displayed and Click Continue.
11. To finish domain setup and activate your domain on Cloudflare, change your domain nameservers to Cloudflare.

The post Create Cloudflare account and add a website appeared first on Server Gigabit Guide.

Cloudflare is designed for easy setup. Anyone with a website and their own domain can use Cloudflare regardless of their platform choice. Cloudflare doesn’t require additional hardware, software, or changes to your code.

Cloudflare stops malicious traffic before it reaches your origin web server. Cloudflare analyzes potential threats in visitor requests based on a number of characteristics:

• visitor’s IP address,
• resources requested,
• request payload and frequency, and
• customer-defined firewall rules.

Cloudflare optimizes the delivery of website resources for your visitors. Cloudflare’s data centers serve your website’s static resources and ask your origin web server for dynamic content. Cloudflare’s global network provides a faster route from your site visitors to our data centers than would be available to a visitor directly requesting your site. Even with Cloudflare between your website and your visitors, resource requests arrive to your visitor sooner.

Cloudflare’s globally distributed anycast network routes visitor requests to the nearest Cloudflare data center.  Cloudflare distributed DNS responds to website visitors with Cloudflare IP addresses for traffic you proxy to Cloudflare.  This also provides security by hiding the specific IP address of your origin web server.

Cloudflare-proxied domains share IP addresses from a pool that belongs to the Cloudflare network. As a result, Cloudflare does not offer dedicated or exclusive IP addresses. Therefore, to reduce the number of Cloudflare IPs that your domain shares with other Cloudflare customer domains. Then, upgrade to a Business or Enterprise plan and upload a Custom SSL certificate.

The post How does Cloudflare work? appeared first on Server Gigabit Guide.

Where can I learn more about DNS?

Please visit the Cloudflare Learning Center DNS guides.

Cloudflare offers free DNS services to customers in all plans. Note that:

1. You do not need to change your hosting provider to use Cloudflare.

2. You do not need to move away from your registrar. The only change you make with your registrar is to point the authoritative nameservers to the Cloudflare nameservers.

As of October 2018, you can transfer your domain to Cloudflare Registrar.

Cloudflare’s authoritative DNS services are free of charge and Cloudflare does not limit DNS queries for a domain on the Cloudflare network.

Cloudflare is the fastest DNS provider in the world, with the fastest speed overall for any DNS provider.

The limits per domain are as follows:

• 3,500 DNS records for domains in the Pro, Business, and Enterprise plans
• 1,000 DNS records for Free domains

If you’re an Enterprise customer and would like to add more than the limit for a domain, contact us describing the use case and the need for more record types.

Make the change at your registrar, which may or may not be your hosting provider. If you don’t know who your registrar is for the domain, you can find this by doing a WHO is search.  Follow the instructions in our support guide to change nameservers to Cloudflare.

Changing your nameservers to Cloudflare is what allows us to fully proxy and provision a site. If you can’t change to our nameservers, you have two options:

1. Activate Cloudflare through one of our certified hosting partners.

2 Ask for a CNAME setup.

The Cloudflare DNS default Time-To-Live (TTL) is 300 seconds (5 minutes). Any changes or additions you make to your Cloudflare zone file will push out in 5 minutes or less. Note that your local DNS cache may take longer to update; as such, propagation everywhere might take longer than 5 minutes.

IPv6 needs to be add as an AAAA record, not an A record, in your DNS app settings.

See also:

• Adding AAAA records
• Cloudflare offers a free IPv6 Gateway to all customers

You can use Cloudflare with any custom domain (yoursitename.com) for which you have control over managing its authoritative DNS.

Cloudflare does not offer domain masking or DNS redirect services (your hosting provider might). We only offer URL forwarding through Page Rules.

Using a CNAME to redirect traffic for a domain not on Cloudflare to a domain that is on Cloudflare creates a DNS resolution error. Since Cloudflare is a reverse proxy for the domain that is on Cloudflare, the CNAME redirect for the domain (not on Cloudflare) wouldn’t know where to send the traffic to.

If you would still like to do a redirect for the site not on Cloudflare, then you should establish a traditional 301 or 302 redirect on your origin web server.

Add-on domains are technically different domains that point to another “main” domain server.

From a Cloudflare perspective, however, the domains are looked at as unique entities, which means that you would have to add each domain separately.

Cloudflare treats each of the following as a separate domain:

• example1.com
• example2.com
• example3.com

Each domain needs to be added separately to your Cloudflare account, and may have a separate plan level, from Free to Enterprise. There’s no limit on the number of domains in a Cloudflare account. If you have hundreds or thousands, as some customers do, you’ll want to know how to use the Cloudflare API v4.

All subdomains are included, so these would all be considered one domain for Cloudflare plans:

• example1.com
• www.exampl e1.com
• blog.example1.com
• Store.example1.com

Cloudflare supports the wildcard ‘*’ record for DNS management in all customer plan. Enterprise customers get full proxy support for wildcard records.

Cloudflare does not proxy wildcard records; therefore, wildcard subdomains are served directly without any Cloudflare performance, security, or apps. As a result, Wildcard domains get no cloud (orange or grey) in the Cloudflare DNS app. If you are adding a `*` CNAME or A Record, you need to make sure the record is grey clouded in order for the record to be created.

To get Cloudflare protection on a wildcard subdomain (for example: www), you need to define that record explicitly in your Cloudflare DNS settings. First, log into your Cloudflare account and click the DNSapp. In this example, you would add “www” as its own CNAME record on your Cloudflare DNS settings and toggle the cloud to orange so the Cloudflare’s proxy is enabled.

Cloudflare Enterprise customers can proxy wildcard records. To learn more about the Enterprise plan, contact us.

Wildcards are only valid in the left-most subdomain label. For example, it’s not possible to add sub.*.example.com, but it’s possible to add *.sub.example.com.

ANY queries are special and often misunderstood. They are usually used to get all record types available on a DNS name, but what they return is just any type in the cache of recursive resolvers. This can cause confusion when they are used for debugging.

Because of Cloudflare’s many advanced DNS features like CNAME flattening, it can be complex and even impossible to give correct answers to ANY queries. For example, when DNS records dynamically come and go or are stored remotely, it can be taxing or even impossible to get all the results at the same time.

ANY is rarely used in production, but is often used in DNS reflection attacks, taking advantage of the lengthy answer returned by ANY.

Instead of using ANY queries to list records, Cloudflare customers can get a better overview of their DNS records by logging in and checking their DNS app settings.

The decision to block ANY queries was implemented for all Authoritative DNS customers in September 2015, and does not affect Virtual DNS customers.

Read Deprecating the DNS ANY meta-query type in the Cloudflare blog.

Cloudflare supports DNSSEC. If a DS record is present at your registrar while using Cloudflare, you will run into connectivity errors such as SERVFAIL when using a validating resolver like Google and noErrrorfrom non-validating ones.

    Here is an example of what an error would look like:    ╰─➤ dig dnssec-failed.org @8.8.8.8     <<>> DiG 9.8.3-P1 <<>> dnssec-failed.org @8.8.8.8    ;; global options: +cmd    ;; Got answer:    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5531    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION:    ;dnssec-failed.org. IN A

With DNSSEC support, Cloudflare provides the DS record that must be uploaded to your parent when you enable DNSSEC for your domain.

When you remove your DS record, an invalidation process begins which results in the unsigning of your domain’s DNS records. This will allow your authoritative nameservers to be changed. If you are an existing customer, this will not affect your ability to use Cloudflare. New customers will need to complete this step before Cloudflare can be used successfully.

Yes, Cloudflare DNS supports EDNS0. EDNS0 is enabled for all Cloudflare customers. It is a building block for modern DNS implementations that adds support for signaling if the DNS Resolver (recursive DNS provider) supports larger message sizes and DNSSEC.

EDNS0 is the first approved set of mechanisms for DNS extensions, originally published as RFC 2671.

LOC
MX
NS
SPF
TXT
SRV
CAA

In the Cloudflare DNS app, changes to DNS records with an Automatic TTL will propagate in approximately 5 minutes (300 seconds).

After switching hosting providers or server IP addresses, update the IP addresses in your Cloudflare DNS app. Your new hosting provider will provide the new IP addresses that your DNS should use.  To modify DNS record content in the DNS app, click on the IP address, and enter the new IP address.

Refer to Cloudflare’s article on managing dynamic IPs in Cloudflare DNS programmatically.

Under the DNS app of your Cloudflare account, review the Cloudflare Nameservers.

The IP address associate with a specific Cloudflare nameserver can be retrieve via a dig command or a third-party DNS lookup tool host online such as whatsmydns.net:

dig kate.ns.cloudflare.com kate.ns.cloudflare.com.    68675    IN    A    173.245.58.124.

By default, only A and CNAME records that handle web traffic (HTTP and HTTPs) can be proxied to Cloudflare. All other DNS records should be toggle to a gray cloud. For further details, visit our support guide about which subdomains are appropriate to proxy to Cloudflare.

For DNS records proxy to Cloudflare, Cloudflare’s IP addresses are return in DNS queries instead of your original server IP address. This allows Cloudflare to optimize, cache, and protect all requests for your website.

By default, subdomains cannot be add as standalone domains in a Cloudflare account. The root domain must be add to a Cloudflare account and then subdomains are manage within the root domain. However, Enterprise customers can contact Cloudflare support and request to add subdomains directly to their Cloudflare account.

If your domain is add as a CNAME setup or is host through a Cloudflare hosting partner, Cloudflare cannot proxy traffic for the root domain.  This is due to DNS specification (RFC) requirements.  For such setups, only subdomains can be proxied to Cloudflare and not root domains.

You can ignore the warnings from third-party tools about invalid Cloudflare SOA serial numbers or out-of-range SOA Expire Values. Because Cloudflare will automatically creates the SOA record when you move your domain to Cloudflare’s Nameservers.  Some Cloudflare SOA fields differ from other common DNS servers:

• SOA Serial NumberA date format is common for most DNS servers. However, Cloudflare uses a different methodology to generate the serial numbers.
• SOA Expire ValueThe SOA Expire Value describes the duration a secondary nameserver should provide authoritative replies after losing contact with the master server. Cloudflare nameservers may use a shorter value than specified in the RFC recommendation.

The post Cloudflare DNS (Domain Name Systems) (FAQ) appeared first on Server Gigabit Guide.

Adding DNS records for vendors

This article requires prior knowledge of DNS record management via the Cloudflare dashboard.  To learn more, refer to Cloudflare’s article on managing DNS records.

Google 

Google Apps mail

Add the following MX records:

Once added, the DNS records appear similar to the following in Cloudflare’s DNS app: 

Review the latest MX records required by Google App.

Test the Google Apps email configuration.

To avoid unexpected behavior, don’t use MX records other than Google’s.

Google App Engine

Add a CNAME record for Google App Engine to Cloudflare DNS.

For example, if the domain is www.example.com, the CNAME record is similar to:

www  CNAME  ghs.googlehosted.com

Confirm the CNAME record value that Google requires for the domain.

To configure a redirect for a Google Apps domain, refer to Google’s guide on URL forwarding.

Google enforces HTTPS on its services. If you are see errors about redirect loops when browsing to your site through Cloudflare, ensure that SSL is set to Full in the Crypto app of the Cloudflare dashboard.

Follow Google’s instructions for adding a site verification record to Cloudflare.

Amazon

AWS nameserver updates

AWS customers must update their domain’s nameservers to point to the Cloudflare nameservers listed in the Overview app of the Cloudflare dashboard:

1. Log into AWS.
2. Click My Account in the top-right of the navigation bar.
3. Select AWS Management Console from the dropdown.
4. Click Services and select Route 53.
5. Update nameservers in two places:
   • Click Hosted zones and select the domain to update with Cloudflare’s nameservers.
   • Edit the nameservers to point to Cloudflare’s nameservers.
   • Click Registered domains.
   • Select the domain to update with Cloudflare’s nameservers.
   • Click Add or edit name servers.

Amazon S3

Consult Amazon’s documentation on how to create an Amazon S3 bucket.

Note the full host URL assigned to the bucket.

Add a CNAME record for the AWS bucket in Cloudflare DNS. For example, if the full host URL of the bucket is files.example.com, add a CNAME record similar to the following:

files  CNAME  files.example.com.s3.amazonaws.com

Amazon requires that the CNAME match the bucket name as in the above example.

Refer to Amazon’s documentation about SES and verification settings.

Find the TXT and CNAME verification records that Amazon provides.

Add the records to Cloudflare DNS.  For example, if the Cloudflare domain is example.com, the DNS records are similar to the following:

example.com  TXT  "fmxqxT/icOYx4aA/bEUrDPMeax9/s3frblS+niixmqk=" verificationstring._domainkey.example.com  CNAME  verificationstring.dkim.amazonses.com

The above TXT record content is an example. Use the correct content provided by Amazon SES.

Refer to Amazon’s ELB help content for guidance on ELB configuration at Amazon.

Cloudflare’s CNAME Flattening feature enables a CNAME record on the root domain to point to an Elastic Load Balancer.

1. Add a CNAME record to Cloudflare for the hostname; for example: elb
2. In the Cloudflare DNS app, replace Domain name with the ELB target:
   
   <AWS hostname>.<region>.elb.amazonaws.com is the proper CNAME target format
   (for example: my-cool-cachepp-1344276401.eu-west-1.elb.amazonaws.com).
3. Reach out to AWS support to determine AWS hostname or region.

Refer to the documentation on Microsoft Office DNS setup for current details.

Additionally, refer to Cloudflare’s documentation on managing DNS records.

Add the DNS records that Microsoft utilizes for domain validation (such as autodiscover) with a grey-cloud icon.

Follow Microsoft’s instructions on configuring Azure DNS settings.

Add Azure’s required records to Cloudflare DNS.

For example, if the domain is example.com, the record format is similar to:

example.com  A  203.0.113.1
www.example.com  CNAME  example.azurewebsites.net

Replace 203.0.113.1 with the actual IP address of the Azure site.

For verification records, refer to Azure’s documentation on creating domain verification records.

Add DNS records for Azure verification with a grey-cloud icon.

You can configure Cloudflare to work with ClickFunnels.  The process requires updating your Cloudflare DNS settings.

The following articles from ClickFunnels outline how to best configure the two services for your site:

• Adding a Cloudflare subdomain
• Cloudflare CNAME record

Reference Zoho’s MX documentation and SPF documentation before adding DNS records to Cloudflare.

See the examples below for adding proper Zoho DNS records to Cloudflare. In all examples, replace example.com with the actual domain name:

• Add Zoho MX records:

example.com  MX  mx.zohomail.com (set Priority to 10)
example.com  MX  mx2.zohomail.com (set Priority to 20)

• (Optional) Add an SPF record:

example.com  TXT  v=spf1 mx include:zoho.com ~all

• (Optional) To access mail through a custom Zoho URL, add a CNAME record:

mail  CNAME  business.zoho.com

• (Optional) To add a Zoho domain validation record:

zb******** CNAME  business.zoho.com

The zb record is unique for each domain. Add the unique zb verification code provided by Zoho.

Refer to Unbounce’s documentation to determine the CNAME record to add to Cloudflare.

Add the CNAME record with a grey-cloud icon if Cloudflare is activate via one of our hosting partners.

Confirm what records SendGrid requires to set in Cloudflare’s DNS.

Typically, the DNS records are similar to the list below. Replace example.com with the actual domain name:

email  CNAME  sendgrid.net
example.com  SPF  v=spf1 a mx include:sendgrid.net ~all
example.com  TXT  v=spf1 a mx include:sendgrid.net ~all mtpapi._domainkey.EXAMPLE.com  CNAME  dkim.sendgrid.net. smtpapi._domainkey.e.EXAMPLE.COM  CNAME  dkim.sendgrid.net

Add DNS records with a grey-cloud icon. SendGrid cannot verify a mail configuration when Cloudflare’s proxy is enable.

• Consult WPEngine’s documentation on DNS configuration.
• Determine whether to add an A or CNAME record to Cloudflare DNS:
  Finding your IP address at WP engine
• Consult Cloudflare’s documentation on Managing DNS records for details on adding the records.

Refer to Ning’s documentation on Custom Domains and DNS entries.

If the Ning custom domain is www.example.com, add a CNAME and an A record as follows:

www.example.com  CNAME  example.ning.com.
example.ning.com  A  208.82.16.68

Add the DNS records to Cloudflare with a grey-cloud icon until Ning verifies the domain.

After Ning verifies the domain, change the grey-cloud icon to an orange-cloud for the Ning DNS records so traffic can proxy to Cloudflare.

Consult SmugMug documentation for the latest details on DNS record requirements. Typically, add CNAME records for SmugMug similar to the following:

photo  CNAME  domains.smugmug.com photos  CNAME  domains.smugmug.com

Add the DNS records to Cloudflare with a grey-cloud icon until SmugMug verifies the domain.

After SmugMug verifies the domain, it will change the grey-cloud icon to an orange-cloud for the SmugMug DNS records. So traffic can proxy to Cloudflare.

Refer to Mandrill’s article on DNS records for the latest details on DNS record requirements.

Mandrill requires addition of SPF and DKIM records. Obtain the DNS record values from Mandrill.

Add the SPF and DKIM records as TXT records in the Cloudflare DNS app.

For example: If example.com is the Mandrill domain, then add DNS records similar to the following.

example.com  TXT  v=spf1 include:spf.mandrillapp.com ?all mandrill._domainkey.example.com  TXT  v=DKIM1\; (values from Mandrill)

Configure Rackspace CloudFiles via CNAME record. Consult the Rackspace CloudFiles documentation.

Confirm the correct CNAME target with Rackspace support.

An example CNAME record appears as follows:

rack  CNAME  e0978.r18.cf2.rackcdn.com

Therefore, CNAME record cannot be proxied to Cloudflare since rackcdn.com is not compatible with Cloudflare.

Tumblr’s systems are not compatible with Cloudflare’s proxy services and Tumblr customers cannot use Cloudflare’s SSL services.

If example.com is the custom domain, add DNS records to Cloudflare similar to these below:

example.com  A  66.6.44.4
www.example.com  CNAME  domains.tumblr.com

Disable Cloudflare’s proxying for any DNS record related to Tumblr. Otherwise, Tumblr’s custom domain verifications will fail.

Managing Cloudflare DNS records

CNAME Flattening

The post Adding specific DNS Records to Cloudflare appeared first on Server Gigabit Guide.

Steps to import or export DNS records

1. Log into the Cloudflare dashboard.

2. Click the appropriate Cloudflare account corresponding to the domain.

3. Ensure the proper domain is selected.

4. Click the DNS app.

5. At the bottom of list of DNS Records, click Advanced.

6. Next, select one of the following action:

a. Click Upload to import a BIND-formatted file of DNS records.

b. Click Export to download a BIND-formatted file of current records.

7. Assure that imported DNS records are selected by Proxy to automatically proxy applicable CNAME and A records to Cloudflare upon import.

The post Importing and exporting DNS records appeared first on Server Gigabit Guide.

What is DNS?

DNS translates domain names to IP addresses and that’s why it is often call the “phonebook of the Internet.”

When you first add a domain to Cloudflare, a scan of common DNS records is perform in an attempt to automatically add all of the domain’s DNS records to the Cloudflare DNS app. If you need to add records manually for a domain, follow the procedure below:

If your domain is add to Cloudflare via one of our hosting partners, manage your DNS records via the hosting partner. In this case, the Cloudflare DNS app informs customers to manage DNS outside of Cloudflare.

1. Log in to the Cloudflare dashboard.

2. Click the appropriate Cloudflare account for the domain where you will add records.

3. Ensure the proper domain is selected.

4. Click the DNS app.

5. The UI interface for adding DNS records appears under DNS Records:

6. Replace Name with a subdomain or the root domain.

Per Internet standards, Name must:

• be 63 characters or less,
• start with a letter,
• end with a letter or digit,
• and contain only letters, digits, or a hyphen as the interior characters.

Additionally, Cloudflare allows an underscore _ in the A and CNAME record Name since some modern web services support an underscore. However, Cloudflare discourages using underscores due to limited browser support.

7. (Optional) Some record types such A, AAAA, and CNAME allow a customer to toggle the Cloudflare proxy on or off.  For the Cloudflare Proxy Toggle:

• An orange cloud icon proxies traffic through Cloudflare for the DNS record Name. 
• A grey cloud icon ensures traffic for the DNS record Name is not proxied to Cloudflare.  Cloudflare still serves DNS for a grey clouded DNS record, but no other Cloudflare features such as SSL, page rules, caching, WAF, etc are applied.

Grey cloud icons for A, AAAA, or CNAME records will expose your origin IP address to attackers and allows them to attack your origin IP address directly even if you later proxy traffic to Cloudflare.  Direct attacks to your origin IP are only mitigated by asking your hosting provider to change your origin IP address.

8. The Type selection defaults to A records.  Expand the DNS record types in the tables below for further instructions pertaining to each record type:

To ensure visitor traffic reaches a domain, a domain requires at least an A or AAAA record to point to the origin web server IP address or a CNAME record that points to the hostname of a hosting service.

Critical DNS records for IP address resolution:

A

A Records are necessary to direct a visitor’s browser requests to an origin web server.

To add an A record:

1. Replace Value with a real address (Please note you cannot use a Cloudflare IP).
Example: 203.0.113.34

2. Click Add Record.
Multiple A records for the same subdomain can be add with different IP addresses. Cloudflare’s DNS will alternate requests to the various IP addresses provided. However, Cloudflare’s DNS will continue to alternate traffic to all specified IP addresses even if an IP address is unreachable.

Cloudflare Load Balancing is the recommend solution for spreading traffic across multiple IP addresses while only sending traffic to reachable IP addresses.

CNAME

CNAME Records are necessary to direct a visitor’s browser requests to an origin web server.  Unlike an A record, the CNAME will point to a hostname like www.example.com instead of an IP address. www.example.com would then either have an A record that lists the IP address or use another CNAME record that points to a different hostname. Eventually, a chain of CNAME records must point to a hostname that resolves to an IP address.

To add a CNAME record:

1. Replace Value with the target (destination) domain.
Example: mysite.myhost.com
Example: s3-eu-west-1.amazonaws.com

2. Click Add Record.

AAAA

1. Replace Value with a real address.

Example: 2001:db8:ffff:ffff:ffff:ffff:ffff:ffff

2. Click Add Record.

DNS records for email and email authentication:

TXT

TXT records are commonly use for mail authentication.

Review the SPF and DKIM sections of this table for examples.

To add a TXT record:

1. Replace Value with real data.
2. Click Add Record.

MX

MX Records are necessary for delivery of email to a mail server. Any MX record Server name requires a corresponding A record that lists the IP address of the mail server.

To add an MX record:

1. Click on the Value field to open a popup window for supplying further MX record details:

Server is the DNS hostname of the mail server.

Priority is a relative number.
The lowest Priority number in a group of MX records will have priority over the rest.

2. Click Save.

3. Click Add Record.

A typical MX record Name is the root domain such as example.com. However, reach out to your email hosting provider to confirm the MX Name and Server details.

DKIM

There is no DKIM record type.  DKIM is instead configure as a DNS TXT record.

DKIM records can often exceed the 255-character limit for TXT records. Therefore, Cloudflare will automatically split these into multiple records at the same domain name, producing a record with a format similar to the following when queried:

default._domainkey.example.com. 299 IN TXT "v=DKIM1; k=rsa; p=<encoded public key>" "<rest of public key>;"

Remove quotation marks and spaces when adding DKIM records to your zone. Also, you do not need to prefix (escape) semicolons with a “\” character for DKIM records added to Cloudflare.

http://dkimcore.org/tools/ is a recommended online DKIM validation tool.

Some services require additional CNAME records for DKIM verification. Verification will fail for CNAME records used to verify DKIM unless there is a grey-cloud icon beside the CNAME record in the DNS app.

SPF

1. Replace Value with real data.

DNS specifications have deprecate the SPF record type in favor of TXT records.

Although Cloudflare and other DNS providers  that most support the dedicated SPF record types, some DNS clients may instead look for a TXT record.

Add both a SPF record and a TXT record to your domain to ensure backwards compatibility.

SPF content as a TXT record will look similar to the following:

TXT @ v=spf1 include:example.net -all

Further details on SPF record syntax can be find at openspf.org. Contact your mail provider about SPF record content if you observe SPF failures in your email headers or if your mail is undeliverable.

DMARC

Domain-based Message Authentication, Reporting & Conformance (DMARC) allows an email recipient to know if the email is protect by SPF and/or DKIM. DMARC describes how the email recipient should process the email if neither of those authentication methods passes.

There is no DMARC record type.  DMARC is instead configure as a DNS TXT record.

To learn more about DMARC records, visit the DMARC project.

Specialized DNS records:

CAA

1. Replace Value with real data.

SRV

1. Click on the Value field to open a popup window for supplying SRV record details:

2. Create the SRV name. For example:

Service: _xmpp-client

Protocol: tcp
Name: yourdomain.com

3. Click Save. Cloudflare will combine the Service, Protocol, and Name fields to create the SRV recordname.

4. A new window will appear requesting to add the SRV content:

5. Add the SRV content. For example :

Priority: 5

Weight: 0

Port: 5222

Target: talk.l.google.com

6. Click Save.

Using the example data below, a DNS query for the SRV record would return the following response:

_xmpp-client._tcp.yourdomain.com. IN SRV 5 0 5222 talk.l.google.com.

PTR

For proxied domains, Cloudflare responds to DNS queries with its own shared, dynamic IP addresses.  Therefore, PTR records cannot be add to Cloudflare.

The PTR record option shown in the DNS Records dropdown is not for adding PTR records for Reverse DNS resolution.  It is instead for adding a PTR Record to the Forward DNS resolution for the domain. PTR in Forward DNS is allow under the DNS specification.

The main reason to have a PTR record is to prevent emails from ending up in spam folders. Since Cloudflare doesn’t support email traffic by default, you would instead need to set the PTR record where your email server is locate.  Please reach out to your email provider for assistance.

Customers which with Enterprise domains using Cloudflare’s DNS Firewall feature can request Cloudflare Support for assistance with updating PTR records.

SOA

There is no need to configure SOA records when using Cloudflare’s nameservers as the authoritative nameservers. Therefore ,Cloudflare automatically creates the SOA record when you migrate your domain to Cloudflare.

Cloudflare can proxy certain DNS records.

1. Log in to the Cloudflare dashboard.

2. Click the appropriate Cloudflare account for the domain where you will delete records.

3. Ensure the proper domain is select.

4. Click the DNS app.

5. Under DNS Records, click X to delete a specific DNS record.

The post Managing DNS records in Cloudflare appeared first on Server Gigabit Guide.

When your DNS records are orange-clouded, Cloudflare speeds up and protects your site.

A dig query against your orange-cloud root domain returns a Cloudflare IP address. This way, your origin server’s IP address remains concealed from the public. Remember that orange cloud benefits only apply to HTTP traffic.

Under certain circumstances, the DNS Records panel in the Cloudflare dashboard DNS app displays a warning whenever you have grey-clouded DNS records that may expose your origin server’s IP address. This warning does not block, or in any way affect, traffic destine to your site.

When your server’s IP address is expose, your server is more vulnerable to direct attacks.

Below are two cases where you might see an IP exposure warning from Cloudflare.

If you see the following warning:

This record is exposing your origin server’s IP address. To hide your origin IP address, and increase your server security, click on the grey cloud to change it to orange.

Cloudflare recommends orange-clouding the record so that any dig query against that record returns a Cloudflare IP address and your origin server IP address remains concealed from the public.

To take advantage of Cloudflare’s performance and security benefits, we recommend you orange-cloud DNS records that handle HTTP traffic, including A, AAAA, and CNAME. Do not orange-cloud MX records.

When you have a grey-clouded A, AAAA, CNAME, or MX record pointing to the same origin server hosting your site, Cloudflare displays one of the following warnings:

An A, AAA, CNAME, or MX record is pointed to your origin server exposing your origin IP.

This record is exposing your origin server’s IP address, potentially exposing it to denial of service.

Wildcard “*” DNS records can only be proxied to Cloudflare for domains on the Enterprise plan. For all other plans, a wildcard DNS record reveals the origin IP.

A dig query against these records reveals your origin server’s IP address. This information makes it easier for potential attackers to target your origin server directly.

However, there are times when some of your DNS records need to remain grey-clouded. For example:

• MX records must be orange-cloud because email isn’t route via HTTP; otherwise, email routing won’t work
• When you have to host multiple services (for example, a website and email) on the same physical server

To mitigate this risk, we recommend that you:

• Host your email service in a server (in-house or external) that is different from your site’s origin server
• Analyze the impact of hosting multiple services on the same origin server in cases when having grey-clouded DNS records can’t be avoide
• Orange-cloud all records that share the same origin IP address as your root domain and can be safely proxied through Cloudflare

The post Warning about exposing your origin IP address appeared first on Server Gigabit Guide.

What is CAA?

A Certificate Authority Authorization (CAA) record allows domain owners to restrict issuance to specified Certificate Authorities (CAs). CAA records prevent CAs from issuing certificates under certain circumstances.  Refer to RFC 6844 for further details.

CAA records are evaluate by a CA, not by Cloudflare.

Setting a CAA record to specify one or more particular CAs has no effect on which CA(s) Cloudflare will use to issue a Universal or Dedicated SSL certificate for your domain.

Since Universal SSL certificates are share between customers, your CAA records may prevent issuance of another customer’s Universal SSL. Therefore, Cloudflare must disable Universal SSL for your domain to ensure your CAA records do not affect another customer.

CAA records are automatically add for the Universal SSL CA providers comodoca.com, digicert.com, and letsencrypt.org if Cloudflare’s Universal SSL is enable for your domain.

If you do not require Universal SSL from Cloudflare, Disable Universal SSL in the Crypto app.

Disabling Universal SSL will leave your Cloudflare enable DNS records without SSL support unless you have uploaded acustom SSL certificate (requires Business or Enterprise plan).

The following DNS records are automatically set if you continue to use Cloudflare’s free Universal SSL certificates:

example.com. IN CAA 0 issue "comodoca.com" example.com. IN CAA 0 issue "digicert.com" example.com. IN CAA 0 issue "letsencrypt.org" example.com. IN CAA 0 issuewild "comodoca.com" example.com. IN CAA 0 issuewild "digicert.com" example.com. IN CAA 0 issuewild "letsencrypt.org"

Do not use the Only allow wildcards option for the root record (which returns only issuewild records) for any domain that will use Cloudflare’s Universal SSL.

Used alone, issuewild only permits wildcard issuance.  Therefore, Cloudflare cannot add your root domain to the certificate unless you specify the Allow wildcards and specific hostnames option in the Tag dropdown:

Your domain name is immediately remove from the Universal SSL certificate and your users will observe SSL errors unless you upload a custom SSL certificate (requires Business or Enterprise plan).

File a support ticket with Cloudflare Support.

If you are part of a large organization or one where multiple parties are task with obtaining SSL certificates, include CAA records that allow issuance for all CAs applicable for your organization.  Failure to do so can inadvertently block SSL issuance for other parts of your organization.

The post Certification Authority Authorization (CAA) FAQ appeared first on Server Gigabit Guide.