traceroute
(or tracert
if you're on Windows) is not an ideal tool to find out what IP address a domain maps to. Nor is ping
since some people use that. Although they both do a domain to IP address lookup as the first thing they do, this is incidental to their primary function.
If you want to know the IP address for a domain, the tools that are specifically designed for this purpose are nslookup
and dig
. (nslookup
exists on Windows as well. dig
is available if you install Cygwin on Windows or use any Unix or Linux variant.)
In order for CloudFlare to work, the IP address you get back when you use nslookup
or dig
on your domain should be the one CloudFlare told you to use. If it is still your IP address, you aren't using CloudFlare.
There is lots of caching in the domain name system. If you have recently changed your domain to point to CloudFlare but one of the above tools still sees it as pointing to your server, it is probably due to caching. dig
will also print out the TTL value for any result which indicates how long that result will continue to be cached for. You can tell dig
to get its results directly from the authoritative name servers which will avoid this caching. (This is why dig
is a much more appropriate tool than ping
or traceroute
for dealing with DNS.) The command for this is dig @ns1.example.com www.example.com
where ns1.example.com
is your name server and www.example.com
is your domain.
From the FAQs, CloudFlare require you to change your authoritative name servers to theirs. This setting can also be cached and often has a very long TTL (multiple days is not uncommon).
Even if you are still seeing the old, cached IP address, as long as you see the CloudFlare one when using the authoritative name servers, some people may have the correct one. In that case, you will see hits in your web server logs from CloudFlare's IP addresses.
If you want to have your visitor's original IP addresses in your logs, mod_cloudflare is available for Apache and there are solutions for other platforms.
The protection you get from CloudFlare comes from three different aspects:
- They act as a reverse proxy for your website. As with all reverse proxy setups, this means that they will only make valid requests to the origin webserver. They will also not artificially slow down the requests, so Slow Loris attacks (for example) will not affect your web server.
- They cache your static content. This means that if you end up linked from the front page of Slashdot or Reddit, only roughly 1/10th of that traffic will reach your server. The other 9/10ths will be served directly by CloudFlare. This can also help mitigate a DDoS attack depending on its size and your capacity.
- They filter out email harvesting bots, blog comment spammers, brute-force login attempts and known software vulnerabilities such as the ones you see attacking phpMyAdmin, Wordpress and Joomla all the time. With a Pro account, they will also filter out any XSS and SQL injection attempts they detect.