{"id":1699,"date":"2020-06-08T01:11:37","date_gmt":"2020-06-07T17:11:37","guid":{"rendered":"https:\/\/www.wesbytes.com\/guide\/?post_type=kb&p=1699"},"modified":"2026-03-26T12:25:32","modified_gmt":"2026-03-26T04:25:32","slug":"warning-about-exposing-your-origin-ip-address","status":"publish","type":"kb","link":"https:\/\/www.servergigabit.com\/guide\/kb\/warning-about-exposing-your-origin-ip-address","title":{"rendered":"Warning about exposing your origin IP address"},"content":{"rendered":"

Warning about exposing your origin IP address<\/strong><\/h2>\n

\"Warning<\/p>\n

Overview<\/span><\/h5>\n
\n

When you have grey-clouded DNS records, Cloudflare<\/a> may warn you that your DNS records might reveal your origin server\u2019s IP address. This is most common with A, AAAA, CNAME, and MX DNS records.<\/em><\/p>\n<\/div>\n

When your DNS records are orange-clouded, Cloudflare speeds up and protects your site.<\/p>\n

A\u00a0dig<\/em>\u00a0query against your orange-cloud root domain returns a Cloudflare IP address. This way, your origin server\u2019s IP address remains concealed from the public. Remember that orange cloud benefits only apply to HTTP traffic.<\/p>\n

Under certain circumstances, the\u00a0DNS Records<\/strong>\u00a0panel in the Cloudflare dashboard\u00a0DNS<\/strong>\u00a0app displays a warning whenever you have grey-clouded DNS records that may expose your origin server\u2019s IP address. This warning does not block, or in any way affect, traffic destine to your site.<\/p>\n

When your server\u2019s IP address is expose, your server is more vulnerable to direct attacks.<\/p>\n

Below are two cases where you might see an IP exposure warning from Cloudflare.<\/p>\n

 <\/p>\n

\n
\n

Case 1 \u2013 DNS records that should be orange-clouded<\/h2>\n<\/div>\n

If you see the following warning:<\/p>\n

This record is exposing your origin server\u2019s IP address. To hide your origin IP address, and increase your server security, click on the grey cloud to change it to orange.<\/em><\/p>\n

Cloudflare recommends orange-clouding the record so that any dig query against that record returns a Cloudflare IP address and your origin server IP address remains concealed from the public.<\/p>\n

To take advantage of Cloudflare\u2019s performance and security benefits, we recommend you orange-cloud DNS records that handle HTTP traffic, including A, AAAA, and CNAME. Do not orange-cloud MX records.<\/p>\n

 <\/p>\n

\n
\n

Case 2 \u2013 DNS records that need to be grey-clouded<\/h2>\n<\/div>\n

When you have a grey-clouded\u00a0A<\/em>,\u00a0AAAA<\/em>,\u00a0CNAME<\/em>, or\u00a0MX<\/em>\u00a0record pointing to the same origin server hosting your site, Cloudflare displays one of the following warnings:<\/p>\n

An A, AAA, CNAME, or MX record is pointed to your origin server exposing your origin IP.<\/em><\/p>\n

This record is exposing your origin server\u2019s IP address, potentially exposing it to denial of service.<\/em><\/p>\n

Wildcard \u201c*<\/strong>\u201d DNS records can only be proxied to Cloudflare for domains on the Enterprise plan. For all other plans, a wildcard DNS record reveals the origin IP.<\/p>\n

A\u00a0dig<\/em>\u00a0query against these records reveals your origin server\u2019s IP address. This information makes it easier for potential attackers to target your origin server directly.<\/p>\n

However, there are times when some of your DNS records need to remain grey-clouded. For example:<\/p>\n