3

I'm not that familiar with the inner workings of DNS, preferring to just add my CNAMEs and A records as appropriate, and leave the behind the scenes to other services. I host a few sites on Amazon S3, which clearly doesn't allow you to have an A record with a specific IP as it is a cloud service. Consequently, I have to use 301 redirects for the naked (foobar.org) domain to www.foobar.org, enforcing the use of either a third party service, or a server to do the redirects.

I noticed that Cloudflare have started offering a service which allows you essentially to break DNS conventions and set a CNAME for your root domain - solving the naked domain on S3 issue. However, I'm not sure what the issues are with this - is this going to cause issues for MX records, web visitors and others? What could be the unintended side effects?

jvc26
  • 143
  • 6

2 Answers2

3

It's not really a CNAME, though, is it? It's a configuration of where they should pull your site from when they get requests for it.

CloudFlare's service directs traffic to their own servers as a caching proxy. Their example has a CNAME going to an Amazon EC2 address, but that's not the server they're going to point you to when your client queries for it; instead, they'll return the address of their own proxy host in response to your query.

If they did indeed configure a CNAME record on your root domain, it would indeed break your MX and SOA records - but I suspect that's not how they've implemented it.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • 1
    Sounds like some privacy issues may come into play if a proxy exists. Security issues too `How is my data secured against unauthorized access in the cache?`, also reliability issues `What is the SLA for the cached proxy` – makerofthings7 May 29 '12 at 19:00
  • 3
    @makerofthings7 Well, that's [the service that CloudFlare offers](https://www.cloudflare.com/plans); I'm sure their customers have asked the same questions. – Shane Madden May 29 '12 at 19:45
  • 1
    "it would indeed break your MX and SOA records" The biggest issue we have seen is with MX records (generally recommend setting A records for root domain) & this is largely a DNS RFC compliance issue. – damoncloudflare May 29 '12 at 23:34
  • @damoncloudflare Oh, so it is a direct `CNAME` from the client's domain to... well, is it a `CNAME` to your systems, or to the client's web hosting (as in the example in the linked blog post)? – Shane Madden May 30 '12 at 15:31
  • I realise this is an old answer, but I just stumbled across it. Going by https://support.cloudflare.com/hc/en-us/articles/200169056-CNAME-Flattening-RFC-compliant-support-for-CNAME-at-the-root, it seems Cloudflare only proxies through their own servers if you turn that on. Otherwise they just look up and return the IP number of the "CNAMEd" hostname. – Henrik N Nov 07 '16 at 14:35
1

Any DNS server that permits such a configuration is buggy by definition. I wouldn't trust those DNS servers for any mission critical services.

On the other hand, this might work if Cloudflare owns all the servers for a given TLD (.biz, .com, etc) and then disallow any other record at somehost.com such as MX, TXT, SOA, etc. This is unlikely, and would cause other problems down the road...

makerofthings7
  • 8,821
  • 28
  • 115
  • 196